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ABSTRACT 



This thesis introduces a program that analyzes network protocols using the 
Communicating Finite State Machines (CFSM) model and the System of Communicating 
Machines (SCM) model. A simple, two machine implementation of CFSM model is 
initially explored. A number of simple protocols are demonstrated as a means to validate 
the automated tool (program). 

The second model implemented is that of the SCM model. The SCM tool uses many 
of the same data structures designed in the CFSM program . The SCM program is validated 
with an analysis of widely used data link protocols. 

Both programs were done in the Ada language environment. 
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I. INTRODUCTION 



“ simulations are set up to answer the question, what if..." 

♦ 

-Hamming, R. W., Future Engineering Practice 
Course Notes, 11 May 92. 



A. BACKGROUND 

The past ten years have seen an substantial increase in the need to communicate 
quickly and reliably over long distances using a wide range of architectures. We, the users, 
live in a ‘come as you are’ digital society. Access to some sort of network is needed to move 
information from user to user. This movement of information takes place on many 
networks (voice, message, data) and at many levels (physical, data link, network, and 
higher). The networks in. use today tend to be a heterogeneous mix of equipment and 
protocols. We, the network designers/engineers, must allow the user access to the available 
resources at the lowest cost. To do this a firm understanding of how machines ‘handshake’ 
and talk to one another must be realized. This is accomplish by applying protocol design 
principles. These principles can be applied to protocols and studied using a wide range of 
Formal Description Techniques (FDT’s). Examples of existing FDT’s will be reviewed and 
the need for an automated set of tools will also be explored. 

The need for machines to be able to communicate is inherent in any heterogenous 
environment. Machines do this through the use of standardized protocols. A protocol is a 
set of rules that govern the interaction of concurrent processes in distributed systems. 
Another widely used definition of a protocol is, a set of rules used for communication 
between two or more processes connected by a communication network. Hand in hand, 
protocol design and analysis is an important consideration in operating systems, computer 
networks, and data communications. For a protocol designer/architect to build an 
appropriate specification, he must use one of a number of modeling techniques. 
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Models or FDT’s of protocols are used for many purposes. They are used to describe 
the protocol unambiguously so that the exact operation is understood by both the protocol 
designer, implementor and user. A model is also used to provide a formal framework for a 
rigorous analysis of the protocol specification. With the advent of internetworking and the 
birth of Integrated Services Digital Network (ISDN), computer protocols have become 
more and more complex. The designer must now develop large sets of rules for information 
exchange that is logically consistent and efficiently implemented. To design a new protocol 
or to implement an existing one into a computing environment gives rise to a need for such 
a tool. 

There are many formal models available to protocol architects. Some of the more 
common models include Petri Nets, Communicating Processes, Communicating Finite 
State Machines (CFSM), System of Communicating Machines (SCM), the Language of 
Temporal Ordering Specifications (LOTOS), Specification and Description Language 
(SDL), and Extended State Transition Model Language (ESTELLE). LOTOS and 
ESTELLE are formal description techniques developed by the International Organization 
for Standardization (ISO) working laterally with the International Telephone and 
Telephone Consultative Committee (CCITT). 

The ISO is a standards publishing body including the American National Standards 
Institute (ANSI). In 1980, the ISO saw the advantages of standardizing a hierarchy of 
protocol services as a reference model for protocol designers. The model includes seven 
layers: physical, data link, network, transport, session, presentation, and application. The 
layer/class of protocols that will be analyzed in this thesis are the data link layer protocols. 

Each of the models that will be discussed have a means to amplify design principles 
of communications systemsfBART 87]. The first principle is for a model to reflect the 
behavior of the protocol. Behavior is modeled using conformance models, an example 
found in [RAND 92], Secondly, the model must allow refinement by the user. Safety and 
lively properties should be proven true. And the last principles that must be supported are 
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those of concurrency and nondeterminism. A good overview is found in King’s 
article[KING 91]. 

The need for a variety of models is apparent when it is considered that the interaction 
between machines occurs at different levels in the OSI structure and that behavior can be 
quite different among levels and machines. The models listed above will be reviewed in the 
following section. Most of the models have a means to informally follow the design 
principles. Upon close inspection of each FDT it is apparent that no one is perfect for all 
applications. As such, an automated tool will be presented that will make the use of two 
models (CFSM and SCM). The intuitive feel of each protocols coupled with the power of 
automating such a such models will enable the user to fully enjoy the important design 
principle of refinement. 

B. OBJECTIVES 

The objective of this thesis is to present a means of automating two powerful models 
of protocol validation and analysis. The first that was to be automated is the CFSM model. 
The data structures and program entities were developed and verified. The second tool 
automated is the SCM model. Although the SCM used many of the underlying data 
structures and logic of the CFSM, the SCM model is much more elegant and much more 
complex. The output information is provided to the user in an intuitive format. Once the 
two models were fully functional, test cases were input to the models to verify the 
functionality. Finally, a select number of existing protocols were input and the analysis 
compared to previous research using a manual method. 

C. SCOPE 

This thesis presents automated implementation of both the CFSM and SCM models. 
The implementation of each model was limited to two machine protocols. The 
specifications covered in this thesis lend themselves very well to the simulation or 
automated analysis. 
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The unboundedness properties of CFSM channels are obviously limited to the 
hardware that the tool is run on. A channel can have a bound the size of the largest machine 
register, in the case of the test runs, a SUN SPARC station, the upper bound was that of the 
largest integer(4.294967 x 10 9 items). 

An analysis of select data link protocols are included to illustrate the use of the CFSM 
and SCM automated models. The specifications will only address procedural rules, not 
formatting of messages. 

D. ORGANIZATION 

This thesis is organized into three sections. The first section includes Chapters II and 
m. Chapters II and HI give background information of pertinent models and language 
considerations. The next section. Chapters IV and V, give a detailed description of how the 
code was implemented to reflect the behavior of the two models. The final section. Chapter 
VI, describes the specifications of Alternating Bit, Go_Back_N, and Selective Repeat 
network protocols. It also describes how the user inputs the information into and receives 
output from the tool. A means for validating each automated model is discussed in this 
chapter. Finally, Chapter VII includes conclusions made based on the thesis work and 
recommendations for future work in the area. 
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n. BACKGROUND OF MODELS 



A. GENERAL 

This section contains an overview of some existing FDT’s. Each model is a different 
way to represent a protocol design or reflect network behavior. Each has its own inherent 
advantages and disadvantages, of which must be considered before application. Two 
models listed (ESTELLE and LOTOS) are automated. 

The first method of description is Petri Nets. Petri Nets are a graphical representation 
of a systems’s states and state changes. The possible states are captured using places which 
can hold tokens. A particular state is represented by a movement of tokens to states. State 
changes are described using transitions. This can be visualized as being similar to a directed 
graph. The input and output arcs associated with each transition determine how token 
placement changes. The behavior of a system can be determined by examining token 
movement within the net. Deadlock and freedom of livelock are examined in this model. 
The complexity of Petri Net representation increases with the size of the protocol being 
modeled. A major consideration for using this model is the intuitive feel of a protocol is lost 
on the complex cases. 

Another class ofFDT are models is called “communicating processes.” The following 
description is more closely examined in Lundy’s articlefLUND 92b]. The elimination of a 
set of global states is done through the use of invariants. Rather than generating the set of 
all possible states, and inspecting them to be sure no undesirable state exists, an assertion 
is made. The assertion states the desired property. It is proven that the protocol always 
satisfies the assertion, this must be proven without having to compute all the possible states 
which might be reached. The communication between processes takes place between 
unbounded FIFO queues. Processes are emulated by use of variables and statements. The 
execution of an action is an atomic event and no two actions may occur simultaneously. 
Since communication between processes can only occur using FIFO queues, actions may 
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only follow a given sequence. The SCM model demonstrates how this is characteristic is 
overcome. 

Extended State Transition Model Language (ESTELLE) can describe a system in 
terms of a set of communicating extended finite state machines through use of FIFO 
channels, similar the to definition of CFSM. This model describes the protocols as a 
collection of modules, each module is an extended FSM having memory-the difference 
between an CFSM and Estelle model is that the CFSM model has no memory. Modules of 
an entity can communicate through FIFO channels[SARI 91]. Messages are exchanged 
between entities as parameters to the modules. Estelle is ba^ed on Pascal and the extension 
of the language is a feature available to the programmer/user. The models automated in this 
thesis are similar to Estelle, however, data representation is implemented differently and 
the power of the language implemented (ADA) is utilized.ESTELLE also allows dynamic 
module creation/destruction and transition priorities. A model implementation 
consideration is ESTELLE cannot adequately represent broadcast channels, a shortcoming 
that the SCM model has shown very well suited for, such as CMSA/CD analysis [LUND 
91a]. 

Specification and Description Language was designed and implemented by groups 
SGXI and SGX of the CCITT. It was meant as a tool for the design and specification of 
telephone switches and their underlying protocols. Currently there are two versions of 
SDL; a graphical tool and a text program tool. Processes are represented by flowcharts, 
which could be concurrent to other processes. The eight traditional flowchart symbols 
represent atomic actions such as internal events, input and output, boolean expressions, 
wait conditions, statements, transitions, and connectors Each flowchart- has an associated 
channel (queue) used to process messages.The Holzman text [HOLZ 91] includes a more 
specific definition of SDL with some examples. One advantage to this approach is the user 
gets a feel, graphically, of the behavior of the protocol. The process execution is somewhat 
restricted to the properties that a FIFO queue has. 
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The ISO language of Temporal Ordering Specifications (LOTOS) is means of 
representation using hierarchically structured processes. As with ESTELLE, LOTOS was 
also developed by the ISO. A hierarchy of processes can correspond to one entity[SIST 91]; 
a concept that is reflected in object-oriented design environments. Systems represented 
using this model are organized using a set of interacting processes which exchange 
information with each other and with the external systems environment through gates. 
LOTOS is a superset language consisting of an abstract data type language and an algebraic 
notation language, both of which uphold good design principles covered earlier. Interaction 
is synchronous through gates that have a one-to-one mapping to interaction points. 

The tool implemented in this thesis uses the technique of representing portions of 
machine behavior as abstract data types, as demonstrated using. A technique of interpreting 
machine behavior through use of finite state machine representation, as with ESTELLE, 
will also be integrated into the design. Plans for future upgrade of this tool include a 
graphical interface similar to that of SDL. 

B. COMMUNICATING FINITE STATE MACHINES 

One of the first manual tools used for analyzing communication protocol behavior was 
the communicating finite state machine(CFSM) model. This modeled each machine in the 
network as a finite automaton, or finite state machine, with communication channels 
between pairs of machines modeled as one-way, infinite length FIFO queues. There has 
been a great deal of work in this area, a few include [PENG 91], [VUON 83] and [RUDI 
83]. The model is defined for an arbitrary number of machines; however for simplicity sake 
will be presented as a two machine model as shown in Figure 1 . 




Figure 1 : CFSM, two machine behavior representation 
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In this section the CFSM model will be defined [GOUD 83]followed by a simple 
protocol analysis to illustrate the model. 

A communicating machine M is a finite, directed labeled graph with two types of 
edges, sending edges and receiving edges. A sending (receiving) edge is labeled ‘-g’ (‘+g’) 
for some message g, taken from a finite set G of messages. One of the nodes in M is 
identified as the initial node, and each node is reachable from the initial node by some 
directed path. A node in M whose outgoing edges are all sending ( receiving ) edges is a 
sending (receiving) node; otherwise the node is mixed node. If the outgoing edges of each 
node in M have distinct labels then M is deterministic ; otherwise M is nondeterministic. The 
nodes of M are often referred to as states; the two terms are used interchangeably. 

Let M and N be two communicating machines having the same set G of messages; the 
pair (MJV) is a network. A global state of this network is a four-tuple [m,c m ,c n ,n] where m 
and n are nodes (states) from M andA, and c m and c n are strings from the set G of messages. 
Intuitively, the global state [ m,c m ,c n ,n ] means that the machines M and N have reached 
states m and n, and the communication channels contain the strings c m and c n of messages. 
Channel c m contains the messages sent from M and N, and channel c n the messages sent 
from N to M. The string c,- will be referred to as channel c,-. 

The initial global state of (A///) is [m 0 ,E,E,n 0 ], where m Q an n 0 are the initial states of 
M and N, and E is the empty string. 

The network progresses as transitions are taken in either M or N. Each transition 
consists of a state change in one of the machines, and either the addition of a message to 
the end of one channel (sending transition) or the deletion of a message from the front of 
one channel (receiving transition). 

A sending transition in M(N) adds a message to the end of channel c m (c n ); a receiving 
transition in M(N) removes a message from the front of channel c n (c m ). 

If S]=[m,ci,Cj,n] is a global state of (MjV), and state S2 follows sj if there is a transition 
(in M or N) which can be executed in Sj, such that the resulting state is S 2 - A state S 2 is 
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reachable from state S] if there is a sequence of states Si,Si+j,...Ji +p such that si follows Sj, 
s i+l follows S(, and so on, and $2 follows S( +p . A state s is reachable if it is reachable from 
the initial state. 

The communication of a network (A/AO is bounded if, for every reachable state 
[m,c m ,c n ,ri\ there is a nonnegative integer k such that |cj <,k and |cj <,k , where id denotes 
the number of messages in channel c. 

A reachability graph of a network (A/ AO is a directed graph in 7 which the nodes 
correspond to the reachable global states of (A/ AO, and the edges represent the follows 
function, such that there is an edge from state s,- to state Sj, if and only if, sj follows s,-. The 
edges are labeled with the transition which they represent The reachability graph can be 
generated by starting with the initial state, and adding the states which follow it, connecting 
them to it with edges; dnd repeating for each new state generated.An overview of the 
functional units of the CFSM model is shown in Figure 1. 



Machine 1 




Figure 2: CFSM model representation. 

A global state [m,c m ,c n ,n] is a deadlock state if both m and n are receiving nodes, and 
c m =c„=£, where E denotes the empty string. 

A global state [m^c^c^n] is an unspecified reception state if one of the following two 
conditions are true; 
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(1) m is a receiving state, the message at the head of channel c n is g, and none of MS 
outgoing transitions is labeled 4 +g.’ 

(2) n is a receiving state, the message at the head of channel c m is g, and none of Vs 
outgoing transitions is labeled ‘+g.‘ 

A simplified version of the stop-and-wait data link protocol will be analyzed as an 

example of analysis with the CFSM model. The interfaces between layer 6 (user)and layer 
% 

2 (data link) of the Open Systems Interconnection (OSI) model is transparent in all the 
examples addressed in this thesis. An assumption is made that the higher layer has passed 
the information/frames without error. The frames at each layer have accomplished the 
appropriate concatenation of header and address information. So, at layer 2, this protocol 
consists of two distinct entities, a sender and a receiver. Machine one serves as the sender 
and machine 2 serves as the receiver as shown in Figure 3. The sender places a frame on 
the channel to the receiver. The receiver senses a frame on the incoming channel and 
accepts the message from the channel, removing the message from the incoming channel. 
The receiver then sends an acknowledgment packet to the sender. The sender senses the 
acknowledgment packet and is clear to send another frame of information to the receiver. 



Machine 1 Machine 2 




Figure 3: CFSM specification for stop-and-wait. 

The finite state machines in Figure 3 represent the behavior of the definition of the 
stop-and-wait protocol. The -D represents sending data, +D, receiving data, -A, send 
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acknowledgment, and +A , receive acknowledge. As per the definition of the CFSM model, 
there is two channels, one from machine 1 to machine 2 and one from machine 2 to machine 
1. The notch on state 1 of both machines represents the initial/starting state. 

The global reachability analysis graph shown in Figure 4 is free from deadlock, 
unspecified receptions, and unexecuted transitions. 



[ 0 , E , E , 0 ] 

l' D 

[ 1 , D . E , 0 ] 
+D 

[ 1 , E E,l] 

l - 1 

[ 1 , E , A , 0 ] 
I +A 



Figure 4: CFSM, global reachability analysis, stop-and-wait. 



This model has many desirable features as well as some disadvantages that are 
improved in the SCM model. The one glaring disadvantage is that the analysis might not 
terminate if the queue length is unbounded. The number of global states in Figure 4 is 
trivial, but for complex specifications the number of states will lead to a combinatorial state 
explosion. This is even true when the queue length is very restrictive. As pointed out in 
[LUND 91b], the specification of a practical protocol can be so complex, containing 
hundreds of states and transitions, that the user can not be sure of the intended specification 
or grasp the intuitive feel for what the protocol is intended to do. This model has the 
advantage of simplicity and a method of analysis that can be easily automated. 
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C. SYSTEM OF COMMUNICATING MACHINES 



In this section the model used to specify and analyze protocols is briefly described. A 
more detailed description appears in [LUND 91a] . Following the definition of the model 
will be an analysis of a simple protocol to illustrate the model. 

A system of communicating machines is an ordered pair C = (M,V), where 

M={m lt m 2 ,...sn n } 

is a finite set of machines, and 

y=(v 7 ,v 2 ,...v n } 

is a finite set of shared variables, with two designated subsets /?, and W t specified for each 
Machine m v The subset ft, of V is called the set of read access variables for Machine m,-, 
and the subset W) the set of write access variables for m v 

Each Machine mi E M is defined by a tuple {S- v Sq,Li^i,Xi), where 

(1) Si is a finite set of states; 

(2) sq £ 5/ is a designated state called the initial state of m,-; 

(3) Li is a finite set of local variables', 

(4) Ni is a finite set of names, each of which is associated with a unique pair (p,a), 
where p is a predicate on the variables of Li u Ri and a is an action on the variables of 

Li u Ri u Wi 

(5) X Si x Ni Si is a transition function, which is a partial function from the states 
and names of m,- to the states of m j. 

Machines model the entities, which in a protocol system are processes and channels. 
The shared variables are the means of communication between the machines. Intuitively, 
Ri and Wj are the subsets of V to which mi has read and write access, respectively. A 
machine is allowed to make a transition from one state to another when the predicate 
associated with the name for that transition is true. Upon taking the transition, the action 
associated with that name is executed. 
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The set L z of local variables specifies a name and a range for each. The range must be 
a finite or countable set of values. 

A system state tuple is a tuple of all machine states. That is, if ( M,V) is a system of n 
communicating machines, and Sj, for 1 < i < n, is the state of Machine m,-, then the n-tuple 
(sj,S 2 ,...Jn) is the system state tuple of (A/,V). 

A system state is a system state tuple together with its enabled outgoing transitions. 
Two system states are equivalent if every machine is in the same state, and the same 
outgoing transitions are enabled. 

The initial system state is the system state such that every machine is in its initial state, 

and the enabled outgoing transitions are the same as in the initial global state. 

The global state of a system consists of the system state, plus the values of all 

variables, both local and shared. The initial global state is the initial system state, with the 

additional requirement that all variables have their initial values. A global state 
% 

corresponds to a system state if every machine is in the same state and the same outgoing 
transitions are enabled. 

Let T(s;,n) = S 2 be a transition which is defined on Machine m,-. Transition X is 

enabled if the enabling predicate p, associated with name n, is true. Transition X may be 
executed whenever m,- is in state sj and the predicate p is true (enabled). The execution of 

X is an atomic action, in which both the state change and the action a associated with n 
occur simultaneously. The format for the associated predicate-action table is shown in 
Table 1. 
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GLOBAL.VARIABLE 




Figure 5: SCM, two machine behavior representation. 
TABLE 1: SCM, two machine predicate-action table format. 



Transition 


Enabling Predicate 


Action 


Transitions 
for Machine 1 


Values of variables that must 
hold true for the transition to be 
enabled. 


The local and GLOBAL variable 
behavior when the transition is 
taken. 


Transitions 
for Machine 2 


Same as above. 


Same as above . 



Note that if the values of all variables are restricted to some finite range, then the 
model can be reduced to a simple finite state machine. Otherwise an infinite number of 
global states are possible. However, even if the number of global states is infinite, the 
number of system states is finite, because of the finiteness of each machine. This may allow 
a reachability analysis on the system states, when a reachability analysis on the global states 
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is infinite. General behavior of the SCM model is shown in Figure 1 and the general SCM 
model representation is found in Figure 1. 




Figure 6: SCM, general model representation 

The stop-and-wait protocol will also be used to demonstrate the analysis using the 
SCM model. The stop-and-wait protocol specification is the same as defined in the previous 
section. The specification as represented by the SCM model is shown as a set of finite state 
machines and a predicate-action table. 

The finite state machine representation for the SCM model is similar to the CFSM 
example. Again this protocol is only demonstrated with two machines. The FSM’s are 
shown in Figure 3. Also shown are the local and global variables. The local variables in 
Machine 1 and 2 can have the values of D(data), A (acknowledgment), and E(empty). The 
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initial value for out_buff\s D and the initial values for all other variables is E. The system 
global variable, CHAN can have the same values as the local variables. 

Machine 1 Machine 2 





Figure 7: SCM specification for stop-and-wait, finite state machines and variable 

definitions. 

The predicate-action table is shown in Table 2. For this example the assumption is 
made that data is always made available to the CHAN from ou.t_bu.ff. 

TABLE 2: SCM specification for stop_and_wait, predicate action table. 



Transition 


Enabling Predicate 


Action 


-D 


CHAN = £ A 
out_buff /= £ 


CHAN := outjbuff 


+A 


RET = A 


RET := E 
CHAN := £ 


+D 


CHAN 1= E 


in_buff:= CHAN 


-A 


true 


RET := A 
injbuff := e; 
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The global state reachability and system state reachability graphs are found in Figure 
4 and Figure 4. The format for the global state tuple of the stop-and-wait protocol is: 

[ Machine l_state, out_buff, CHAN, RET, in_buff, Machine2_state ] 



-►[ 0,d,E,E,e,0] 

r 

[ 1 ,d,D,E,e,0] 

* 

[l,d,D,E,d,l] 

[l,d,D,A,d,0] 
I +A 



Figure 8: SCM, global reachability analysis, stop-and-wait. 

The format for a system state tuple for all cases of analysis is: 

[ Machine l_state, Machine2_state ] 

0] 

-D 

0] 

+D 

1] 

-A 

0] 

+A 



Figure 9: SCM, system reachability analysis, stop-and-wait. 



► [0 
[1 
[1 

i 

[1 
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The SCM model has desirable properties found in the CFSM model as well as 
overcoming some of the inherent disadvantages of the CFSM model. In the SCM model the 
behavior of the protocol can be clearly and quite adequately represented, maintaining an 
intuitive feel of the specification. The SCM model can ameliorate the combinatorial state 
explosion through the use of system state analysis, greatly reducing the generated states. 
Instead of implicit queues, shared variables are used for communications between 
processes. This allows communications between machines in non sequential manner, 
unlike a FIFO queue representation in the CFSM model. 

The final advantage is the nature of the SCM’s representation of a protocol gives it 
the feel of a programming language. Although more complex to program than a CFSM 
model, the actions associated with the FSM and the predicate-action table lend themselves 
to automated implementation. 

D. LANGUAGE CONSIDERATIONS 

Which language should the CFSM and SCM models would be implemented in? 
Before all the available languages were researched, a list of desirable properties that the 
language must have (specific to the models), was developed. After a close inspection of the 
definition and nuances of the CFSM model, SCM model, and the reachability analysis 
generated, there were a number of language properties that were found desirable to this 
project. 

The language properties should support hardware and software design issues. The 
code must be portable from one architecture to another. The language should have a means 
to create different class instances from a base class. An intuitive means to provide 
meaningful output of the analysis and programming error messages to the user enhances 
the program’s utility. Since the program must simulate network specifications there is an 
inherent need to be able to do multiprocessing or multitasking in the programming 
environment. The language of choice should enforce the rules of strong typing, that is not 
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allowing mixing of types and subtypes. The final property of the language should be its ease 
of use and understandibility. 

The language of choice should be portable between different machines. It cannot be 
assumed that the user has access to a mainframe computer or workstation. The language 
should be compilable on a machine as small as a personal computer. 

Implementation of the models should help the user to avoid and detect mistakes. The 
environment should prompt the user when a syntactical or semantic error is made. The error 
messages should be meaningful. Inherent to this requirement, the language should enforce 
strict definitions of atomic structures, such as data structures. 

Dynamic list creation /deletion are necessary in reachability graph construction. This 
allows flexible and ultimately limitless (hardware specific) analyses to be done. Linked list 
creation and traversal should make use of reusable programming units. The logic for 
creating new nodes should allow the program to ‘remember’ where the last node was built. 
This-should be done automatically, without user intervention after compile time. 

An important property, although subject to varying opinion, is ease of use. The project 
is developed in one language, but the human interface to the underlying code must be 
understandable and intuitive. Hand in hand with ease of use, is ease of maintainability. 
There should be enough on-line and off-line help to allow the user to navigate the the user 
interface. An understandable debugger was also a factor in the choice. 

Ada was chosen because it supports the above mentioned properties. It is a language 
that is portable between different architectures. It supports generic class creation and 
instantiation. Through the use of predefined input and output packages, the user is allowed 
to build a suitable interface environment. With the use of exception handling meaningful 
error messages can be created and employed. Ada also has the ability to multitask, 
simulating parallel processing. Finally, Ada is easy to use. The code can be read by a novice 
and understand what is meant to happen. 

The language of C/C++ was not chosen due to a few limitations. At the time of this 
writing it could not support multitasking needed to simulate concurrency or broadcast 
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networks. It was also difficult to do generic-like coding. The object orientation of the 
design lent itself very nicely to the structures used in the CFSM and SCM model as covered 
in [RUMB 91]. It became apparent that there was reused code that would have been more 
efficiently implemented with generic data structures. Although it could have been done 
with the use of macro-like instructions, generic packages made the project more compact 
and efficient. Generic package creation and instantiation was not supported by the current 
version of the C/C++ compiler. The C programming environment does not support 
exception handling; programming error detection messages were vague and could not be 
developed by the user. A good means of automatic implementation of error messages in the 
C++ environment was not available at the time of this publishing. Ada could do this 
through use of exception handling. 
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HI. A PROGRAM FOR GENERATING A CFSM REACHABILITY 

ANALYSIS 



In this chapter the organization of the CFSM program will be described.The means for 
input, output, and reachability analysis will be highlighted. Excerpts of the underlying code 
will be accompanied by a brief explanation. The formal definition of the CFSM model 
found in Chapter II is the basis for constructing the program. 

A. PROGRAM STRUCTURE 

The structure of the CFSM program is based on functional units (objects) of the 

general CFSM model. The data structures of the basic objects must represent 

communication channels, machine states, transitions, and a means for capturing global 

tuple (state) values. In addition to constructing the fundamental data structures, there must 

be an intuitive input mechanism for the FSM’s and an understandable display of the 

analysis. 

% 

Implementation details should be hidden from the user. Operations such as loading the 

/ 

CFSM into memory, performing a reachability analysis, constructing the global 
reachability graph, and traversing the graph during searches/output are independent of the 
specific protocol to be analyzed. 

The program consists of input related procedures, a reachability analysis, and output 
procedures. To help manage such a complex and large programming project, separate 
compilation units were used. The compilation units were physically grouped by file 
according to the function it performed as shown below: 

TABLE 3: CFSM compilation units. 



Compilation Unit 


Description 


File 


read_in_file 


parse text input file 


input.a 


load_machine_array • 


builds machine adjacency 
lists from parsed file 


input.a 
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Compilation Unit 


Description 


FUe 


build_Gstate_graph 

• 


builds global reachability 
analysis graph 


reachability.a 


clear_pointers 


clears values for another 
input file 


reachability, a 


search_for_tuple 


performs BFS search of 
graph 


search.a 


IsEqual 


compares global records 
for equality (similar to =) 


search. a 


output_Gstate_node 


format for node output 


output.a 


output_Gstate_transition 


format for transition output 


outputa 


output_Gstates 


traverses graph and outputs 
nodes and transitions 


outputa 


output_machine_arrays 


format output of contents 
of adjacency lists 


outputa 


create_output_file 


creates file for analysis out- 
put 


outputa 

/ 



This use of separate subprograms (compilation units) facilitated the development of the 
SCM program from existing CFSM code. 

The behavior at run time is shown in Figure 10 and associated files of the CFSM 
program are shown in Figure 11. 



Reachability 

Text File (FSM’s) Analysis 




Figure 10: CFSM run time behavior 
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Generic Packages 



^nteger_IO 

^EnumeratioiO^ 



main procedure 




inpuLa 



Separate Compilation 
Units (contained in 
files) 



output, a 



search.a 



reachability.a 





Figure 11: CFSM compilation units. 

i 

During the design phase of the program it became apparent that some software 
components and structures were used more than once. For instance, when doing a 
reachability analysis many types of stacks and queues were used. Although the underlying 
data types were different, the algorithm for each structure was exactly the same. To increase 
efficiency, generic. packages were used. Generic units are defined as a reusable software 
module or a program unit template [GONZ 91]. 

The implementation of stacks and queues is accomplished using generics. For 
instance, within the program there is a need for a queue of characters representing the flow 
of information on the channels between two machines. To assist in the construction of the 
reachability graph there needs to be a queue of pointers to graph nodes (see Section C). 
Each type of queue has some common procedures and functions. Each needs procedures to 
clear the queue, enqueue, and dequeue. Each must also have functions that return the value 
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of the first item of the queue, determine if the queue is empty and determine if the contents 
of two queues are equal. If these common functions and procedures had to be rewritten with 
a different underlying data type, the number of compilation units as well as the object code 
would increase; thus the user would be saddled with more ‘waiting 5 time. 

The protocol environment can be modified by using generic parameters. The generic 
package, queues, has two parameters to the object- the item type and the maximum size of 
the queue. This allows the user to define what type of items are contained in the 
channel(queue) and how big the channel(queue) can be. Two instantiations of queues in the 
program are; 

package queue_pack is new queues (character, MAX=>3) ; 

package Gpointer_queue_pack is new queues (Glink_type, MAX=>10 ) ; 

The queue _pack package defines a queue of characters. A ceiling or bound can be placed 
on the amount of messages on a channel. If an unbounded channel is to be simulated the 
maximum allowable integer can be given. The pointer queue G pointer _queue _pack gives 
the user a means to determine the maximum size of a reachability graph. Although, in the 
general case, a large number is preferred to allow all tuples (states) to be generated in a 
protocol reachability graph. The generic package stacks was implemented in a similar 
fashion. 

B. INPUT 

An important step in designing the CFSM and SCM programs is developing a 
meaningful method of inputting the finite state machines. The graphical representation of 
a simple FSM conveys a behavior associated with a protocol specification. A means to 
transfer this graph into a data structure that can be used in the reachability analysis was 
developed. 

The FSM’s were input as a text file. This file is built by the user with a set of language 
rules similar to Backus-Naur Form (BNF). The input file is parsed one line at a time. Each 
line is read into a line buffer and tokens formed according to the rules defined below. From 
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the tokens, an internal data structure is generated to represent the set of finite state 
machines. The list of valid instructions for finite state machine input is: 



start 

machine 

state 

initial_state 

trans 

finish 



<natural> 

<natural> 

<natural> <natural> 

<- 1 +> <a | b | . . . | z | A I B | . . . | Z> <natural> 



The tokens are cast into either enumerated types (instructions) or integers (integer 
variables). The integer variables have been formally defined within the main procedure in 
Appendix A. 

The meaning of the instructions are: 





start 


Serves as a beginning flag for the file 




machine 


Defines the current machine. 




state 


Defines the current state. 




initial_state 


The intitial/start state for 






machines ohe and two. 




trans 


Transition type, transition 






message, and next state. 


/ 


finish 


This token serves as an ending flag for 






the file. 



Representation of a finite state machine using the above convention has some inherent 
constraints. Since an input token, such as the transition -D, cannot be directly caste into an 
enumeration token (no special characters at the beginning of a token), the (-,+) must be 
converted separately to (sndjcv) tokens. The use of alphabetic characters to represent 
messages in a channel, limits messages to 52 distinct types (a..z,A..Z). The input file for 
stop_and_wait is: 



start 
machine 1 
state 0 
trans -D 1 
state 1 
trans +A 0 
machine 2 
state 0 
trans +D 1 
state 1 
trans -A 0 
initial_state 0 0 
finish 
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The data structure representing the CFSM is then used to construct a reachability 
analysis graph. The two data structures that support directed graphs (or finite state 

9 

machines) are adjacency lists and adjacency matrices. Since the use of adjacency matrices 
to construct directed graphs can lead to wasted hardware memory, adjacency lists (one 
dimensional array of linked lists) were implemented. 

The data structure to build the adjacency list and the constraints are: 



type machine_array_record_type; 

type Mlink_type is access machine_array_record_type; 
type cf sm_transition_type is (snd, rev, unused) ; 
type executed_type is (yes, no) ; 
type machine_array_ record_type is 
record 



transition 

message 

next_state 

executed 

Mlink 

end record; 



: cf sm_transition_type; 
: character; 

: natural; 

: executed_type; 

: Mlink_type 



type machine_array_type is array (positive rangeO) 
of Mlink_type; 

type system_array_type is array (1.. 2) 
of machine_array_type; 



Some data structures shown above are peculiar to Ada. Access types are data types that 
provide an access (“pointer”) to an object of another type or subtype. It reserves storage 
locations during the execution of a program dynamically by use of a memory allocator. A 
record type is simply a collection of elements where each element is referred to by its name. 
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The array of linked lists is defined as an unconstrained array; whereas, at compile time, the 
number of machines is set at two. To illustrate the finite state machine data structure the 
CFSM stop_and_wait protocol is shown in Figure 12. 

Machine 1 



<o 

w 

C3 

w 

00 



0 


•— 


1 


•— 


2 


•— 



transition 


snd 


message 


D 


next state 


i 


executed 


no 


Ml ink 








transition 


rev 


message 


A 


next state 


0 


executed 


no 


Mlink 





Machine 2 



<o 

w 

Oj 

4-* 

00 




Figure 12: Finite State Machine representation, stop_and_wait 

C. REACHABILITY ANALYSIS 

In order to determine if all states in a network are reachable a graph is constructed. 
After the textual representation of the CFSM is input, the adjacency lists are constructed as 
described in the previous section. The initial states for each machine indicate the starting 
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position of each list. From the lists a directed graph is constructed. It is from this directed 
graph that deadlocks and unspecified receptions are sensed and the appropriate output 
message is displayed. 

The algorithm to construct the global reachability graph is: 



bop 

for machinel array index in 1.. row size loop 

if machinel (array Jndex). transition=snd or 
machinel (array Jndex). message=top_ofqueue21 then 
make temp Gstate record 
search list for Gstate record 

if found then link current to found state 
else make new node and link into Gstate jgraph 
and push pointer onto pointer stack 
else nonejound 
end loop 

for machine2 array Jndex in L.rowsize loop 

if machine2 ( array Jndex). transit ion = snd or 
machine2(array Jndex). message -top _ofqueuel2 then 
make temp Gstate record 
search list for Gstate record 

if found then link current to found state 
else make new node and link into Gstate jgraph 
and push pointer onto pointer stack 
else nonejound 
end loop 

if stack is empty then 

raise STACK EMPTY 

else 

pop last Gstate 

end loop 



The initial global state tuple (node) is created from the starting state of each machine’s 
adjacency list. From the top node, tuples (global states) are added to the graph using the 
reachability algorithm. The algorithm shows the graph being constructed with stack based 
implementation, allowing a breadth first construct. The option is given to the user to 
construct the graph depth first. A case statement is used to toggle between stack or queue 
procedures/functions (this is not shown in the algorithm above.) Figure 13 shows the 
internal representation of the global reachability graph for the stop_and_wait protocol 
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top Gstate 

B — 
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0 


machine 1 state 


0 


machme2 state 


0 


queue 12 
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queue 21 
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link ^ 


□nnn 



Gtransition 
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Gmessaee 


D 


new node 
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Glint 
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i 


machine 1 state 


1 


machme2 state 




queue 12 


D 


queue 21 
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link _ 


□nnn 



+ ++ 



Gtransition 


rev 


Gmessaee 


D 


new node 
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_ Glint 





number 


2 


machine 1 state 


1 


machine2 state 


1 


queue 12 


null 


queue 21 


null 


link _ 


□nnn 



Gtransition 


snd 


Gmessaee 


A 


new node 


yes 


Glink 


* 







Gtransition 


rev 


Gmessaee 


A 


new node 


no 


Glink 


9 



number 


3 


machine 1 state 


1 


machine2 state 


. _ 0 


queue 12 


null 


queue 21 


A 


link 


□nnn 







Figure 13: CFSM internal reachability graph, stop_and_wait 
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Note that when a tuple is generated a data structure representing a transition and a node are 
separately added. The field newjiode was included in the transition structure to allow 
proper traversal of the graph. The current version of the program allows for four transitions 
from each tuple. This can be expanded upward if needed. 

Exception handlers were used to maintain control in the reachability graph 
construction. Whenever a queue or stack is empty the control is handed to the exception 
handler to continue program execution. The exception handlers allow definition of specific 
error conditions to be sensed and appropriate action taken. 

During graph construction, global state tuples are identified that satisfy the deadlock 
and unspecified reception properties. If a global state node has only receiving transitions 
from it and both the queues are empty, a deadlock message is displayed to output. If the 
global state node has outgoing receive transitions and the head of the respective queue does 
not match the receive transition (assuming the queue(s) are not empty) then an unspecified 
reception message is displayed to output. When the construction of the graph is complete 
the adjacency lists are checked for any unexecuted transitions. The contents of the lists are 
displayed after the output of the graph is done. Unexecuted transitions are identified by the 
execution field, with a no entry. For an example see Figure 15 

Upon completion of the reachability graph construction, a pointer to the top global 
state node is passed to the output procedure. 

When constructing a reachability graph there are two factors that need to be 
considered- run time and the size of the graph generated. As noted earlier, a ceiling can be 
placed on the size of the graph by the user prior to compilation. Ideally, a specification can 
be input to the program and an analysis could run for as long as needed (perhaps days); 
however, most computer systems are limited by storage. The question of storage capacity 
is left to the user of the program. A determination must be made as to how large a graph to 
anticipate (worst case is the largest integer represented on the register) and how much 
storage space can the underlying system provide. 
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The design of the program addresses the issue of running time. The running time, or 
complexity, of the reachability analysis is dominated by the algorithm that governs the 
directed graph traversal. All traversals are done in both models (CFSM and SCM) in a 
recursive, depth first manner. The complexity, or big O notation, for traversals of a directed 
graph can easily be defined. Consider a reachability graph G=(V v £) consisting of a set V of 
vertices(nodes), and a set E of edges(transitions). Each edge corresponds to a pair of 
distinct vertices in the directed graph. The running time or complexity of such a graph 
traversal is proven by induction to be 0(IV1 + l£l). A rigorous proof of the complexity 
appears in [MANB 89], 

D. OUTPUT 

The output procedure for the CFSM tool displays the reachability graph and 
associated messages to both a text file and the default output device. The output procedure 
has as a parameter a pointer to the top global state (node). From the top node the graph is 
traversed in a depth first manner and saved to an output medium. The contents of the 
adjacency list are also displayed to output providing a means to cross check the CFSM 
construction and identify unexecuted transitions as shown for stop _and_wait in Figure 14. 



31 



REACHABILITY ANALYSIS of : stop.and.wait 



1 


C 


0 , 


E , E , 0 ] 


-D 


C 


1 


, D , E , 0 ] 


2 


2 


C 


1 , 


D , E , 0 ] 


♦D 


[ 


1 


, E , E , 1 ] 


3 


3 


c 


1 , 


E , E , 1 ] 


-A 


C 


1 


, E , A , 0 ] 


4 


4 


[ 


1 , 


E , A , 0 ] 


♦A 


[ 


0 


, E , E , 0 1 


1 



1 Machine 1 Array Contents 1 


1 From 


1 To 1 


Transition 1 


Executed 1 


1 0 


1 1 1 


snd D 1 


yes 1 


1 1 


1 0 1 


rev A 1 


yes 1 



I Machine 2 Array Contents I 



1 From 1 


1 To 1 


Transition 


1 Executed 1 


1 0 1 


1 1 1 


rev D 


1 yes 1 


1 1 1 


1 0 1 


snd A 


1 yes 1 



* The nodes generated by the analysis 
were done in a breadth first manner 



Figure 14: CFSM, analysis output, stop_and_wait 

To illustrate the formatting of the model’s output an example is presented. Assume 
that a CFSM exists reflected by the following specification: 



Machine 1 Machine 2 





The input file is: 
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start 
machine 1 
state 1 
trans -D 2 
state 2 
trans +A 1 
machine 2 
state 1 
trans +D 2 
state 2 
trans -A 1 
initial_state 1 1 
finish 

The output file reflecting deadlock, unspecified receptions, and unexecuted transitions 
is shown in Figure 15. 

REACHABILITY ANALYSIS of : deadlock.exanpls 
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S I 2 , E , BB , 3 ] ******* Unspecified Reception ****** 



I Machine 1 Array Contents 



I Fro* I To I Transition I Executed 



I 1 I 2 I snd X I yes 

I 2 I 1 I rev A I no 



I Machine 2 Array Contents 



I From I To I Transition l Executed 



1 1 1 


1 3 1 


snd 


B 1 


l yes 


1 


1 1 1 


1 2 1 


rev 


X 1 


l yes 


1 


1 2 1 


1 1 l 


rev 


B 1 


1 no 


1 


1 3 1 


1 1 1 


rev 


X 1 


1 yes 


1 



* The nodes generated by the analysis 
were done in a depth first manner 



Figure 15: CFSM, analysis output, deadlock/unspecified reception/unexecuted transition 

example. 



IV. AN AUTOMATED TOOL FOR SCM REACHABILITY 

ANALYSIS 



In this chapter, a program is introduced that automates the SCM model . It provides 
an intuitive environment to input a protocol specification and receive the analysis in an 
understandable format. Since the model only uses variables and finite state machines to 
describe a protocol’s behavior, it is considered an approximate model. There are certain 
details of protocol design, such as message and header format, that are abstract from the 
analysis. The succinctness of a protocol representation helps analyze the logic and structure 
without getting lost in a myriad of detail. 

The organization of this program is similar to that of the CFSM program. A means for 
input, output, global reachability analysis, and system reachability analysis are highlighted. 
Excerpts of the code are accompanied by a brief explanation of structure and 
application.The formal definition of the SCM model found in Chapter II is the basis for 
constructing the program. 
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The protocol specification and analysis of the stop _and_wait data link protocol will 

be used throughout this chapter to demonstrate the interface of the program to the user. The 

specification for the sample protocol is shown in Figure 16. 

Machine 1 Machine 2 

CHAN 




RET 




Transition 


Enabling Predicate 


Action 


xmtjdata 


CHAN = E A 
outjjuff 1= E 


CHAN ;= out_buff 


rcvjick 


RET -A 


RET £ 
CHAN := E 


rcvjdata 


CHAN /= E 


in_buff ;= CHAN 


xmtjick 


true 


RET := A 
injmff := e; 



Figure 16: SCM, specification for stopjindjwait. 

A. PROGRAM STRUCTURE 

The structure of the SCM program is similar to the CFSM implementation. There must 
be a means for input, output, and reachability analysis. The input is more complex because 
not only must the FSM’s must be entered, but also variable definitions and the associated 
predicate-action table as shown in Figure 16. The input can be viewed as hierarchical. The 
global and system reachability analysis are performed using different algorithms and are 
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described in later sections. The code for producing output is identical to the CFSM program 
with some addition to allow the user to tailor variable output. 



Text File (FSM’s) 




Variable Definitions 



Predicate-Action 




Global and System 
Reachability Analysis 



!•// .*.•»//.•//.'/// ////.•///»!•///,• >X*»XvX- 

* a *.*i • i*> /.‘/.v >/iv » x- >///•*•> »> >» i 

\v.va%j\w.v//.v«.v.va:v/.v.-.v/:<vX-.-: 
v.v.* /.* .•< //.v 

|| Default Output || 




Figure 17: SCM run time behavior. 

The program, written in Ada, consists of packages^ procedures, and functions that 
make up the basic structure mentioned above. A package specifies a group of logically 
related entities, such as types, and objects of those types as defined in [GONZ 91] and 
[SKAN 88]. The procedures and function that were subject to change/updates were also 
treated as separate compilation units. To give a ‘feel’ for the different components of the 
program, the separate compilation units and the files that contain them are shown in Table 
4. 



TABLE 4: SCM compilation units. 



Compilation Unit 


Description 


File 


read_in_file 


parses text input file 


input.a 


load_m achine_ array 


builds machine adjacency 
lists form parsed file 


input.a 


build_Gstate_graph 


builds global reachability 
analysis graph 


global_reachability.a 
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Compilation Unit 


Description 


File 


clear_pointers 


clears the values for 
another input file 


global_eachability.a 


search_for_Gtuple 


performs BFS search of 
global reachabililty graph 


global_search.a 


IsEqual 


compares global records 
and associated transitions 
for equality 


global_search.a 


build_Sstate_graph 


builds system reachability 
analysis graph 


system_reachability.a 


search_for_S tup le 


perfoms BFS search of 
graph 


system_search.a 


IsSysStateEqual 


compares system records 
and associated transitions 
for equality 


system_search.a 


output_Gstate_node 


format for node output 


global_output.a 


output_Gstate_transition 


format for transition output 


global_output.a 


output_Gstates 


traverses graph and outputs 
nodes and transitions 


global_output.a 


output_machine_arrays 


format output of contents 
of adjacency lists 


global_output.a 


output_S state_node 


format for node output 


system_output.a 


output_Sstate_transition 


format for transition output 


system_output.a 


output_Sstates 


traverses graph and outputs 
nodes and transitions 


system_output.a 


output_Gtuple 


format global record for 
output 


user_output.a 


variable_definitions 


user defined protocol vari- 
ables 


user_definitions.a 


Analyze_Predicates 


performs analysis of predi- 
cates and determines which 
transitions are enabled 


predicate_action.a 
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Compilation Unit 


Description 


File 


Action 


changes the global and 
local variables based on the 
transition executed 


predicate.action.a 



The user has access to the last three files shown in Table 4. The variable definition package. 
Predicate ^Analysis function, and Action procedure contained in these files are modified by 
the user to reflect the specific protocol to be analyzed. Formats for each unit will be 
outlined in Sections B, C, and D. The other files and procedures will remain hidden from 
the user because they are independent of any protocol to be analyzed. Figure 18 shows the 
files and generic units used at compilation time. 



Generic Units 



Stacks 



Integer_IO 



Text IO 



Enumeration IO 



Queues 



input.a 



predicate_action. a 



user definitions. a 



Separate 

Compilation 

Units 



global. 

output.a 



system. 

output.a 



global, 
search. a 



system. 

search.a 



global. 

reachability.a 



system. 

reachabillity.a 



main procedure 

iimiiilliiiimiiiiiiiiiiiiiii 

scm.a 

Iiiiiiiiiiiiiiiiimiiiiiiiiiiii 





Figure 18: SCM compilation units. 
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B. INPUT 



An intuitive and understandable means to input a specification is helpful in any 
protocol analysis program. A protocol specification is divided into shared and local 
variable definitions, predicate-action table representation, and finite state machine storage 
structure. 

The different parts to each specification to be analyzed must be input in a certain order. 
The definition package, Analyze -Predicate function, and Action procedure must be 
constructed and compiled before the program is executed. When the program is executed 
the user then inputs the FSM text file and obtains the reachability analysis. Since the 
compilation of the program depends on the variables in the definition package, this package 
is written and compiled first. This is a technique to verify variable definition correctness in 
the Ada environment. Once the definitions package is compiled the Analyze -Predicate 
function and Action procedure can then be compiled This step-wise refinement facilitates 
error free specification representation. 

At any point in execution of the program the status of all variables is kept in the global 

/ 

state record. Each node in the global reachability graph has a copy of this record. Within 
the main procedure a global state record is declared as 



type Gstate_record_type is 
record 

machine l_state : machine l_state_t ype; 

machine2_state : machine2_state_type; 

global_variables : global_variable_type; 

end record; 

Having the machine and global types defined in a separate package ensures that only select 
pieces of code can be modified by the user. The definitions package contains the 
machine 1 jstate _type, machine2 _state_type, and global_variable_type declarations; thus 
this package must be compiled first. 

The order that each input category is covered in this chapter reflects order that the 
protocol specification should be constructed and compiled. 
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1. Protocol Variable Definitions 



The user defines the protocol environment variables in the definitions package. 

Variables can either be local to a specific machine or global to the system. The global 

variables are considered shared and allow communication between the machines in the 

system. The local variables are only visible to the machine that they are defined for. A 

discrete variable can be one of the many Ada defined types such as: 

integer natural character 

array digit boolean 

record access 

These types variables, or their subtypes, can be used to define protocol 
environment. 

A template for the definitions package is illustrated in Figure 19. The shaded 
areas of the figure are where the variables of the protocol are inserted. All other code should 
remain unchanged. Additional type declarations should be placed before the machine type 
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declarations. The state number of each machine is initialized to one even though this 

maybe different based on the FSM text file is input (the initial state is explicitly given.) 

'SM transition labels 

package definitions is 
type scm_transition_type is ( 




) ; 



.^.protocol dependent types 



type machine l_st at e_type is 
record 

state number : natural : = 1; 



end record; 

type machine2_state_type is 
record 

state number : natural 



achine 1 local variables 




end record; 



type global_variable_type is 
record 



end record; 
end definitions; 



achine 2 local variables 



global (shared) variables 



Figure 19: SCM, definitions package template. 

The variable declarations for the stopjindjvait protocol are:shown in Figure 



20 . 



package definitions is 

type scm_transition_type is 

type buffer^ type is (d,e,a); 

type machine l_st at e_type is 
record 

state_number 

out_buff 

end record; 

type machine2_state_type is 
record 

state_number 
in_Jbuf f 

end record; 



(snd_ data, rcv_data, 
snd ack, rev ack) ; 



natural 

buffer_type 



natural 

buf fer_type 



1 ; 

d; 



1 ; 

e; 
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type global_variable_type is 
record 

CHAN : buffer_type := E; 

RET : buffer_type E; 

end record; 
end definitions; 

Figure 20: SCM, definitions package, stop_and_wait. 

The transitions are represented as xmtjdata, xmt_ack, rcv_data, and rcv_ack 
instead of -D, -A, +D, and +A. Machine one has a local variable that serves as an out-bound 
buffer ( out_buff ). It is initialized with data present in the buffer, represented by 'd\ The 
only machine that sees the variable contents is Machine one. Machine two is similar in that 
it has a buffer for receiving ( injbuff) data from the channel. The global variables are the 
shared variables channel ( CHAN) and a return link (RET). Both variables are initialized 
empty and can be accessed by each machine. The values that CHAN, RET , injbuff, and 
outjbuff can have are defined as a buffer jype. The buffer jype variables can have the 
values e (empty), d (data), or a (acknowledgement). The stop_and_wait protocol example 
shows how easily variables can be represented. All the text in bold lettering are user defined 
variables and types. 

2. Predicate-Action Table Representation 

The predicate-action table serves as the engine to the analysis. The enabling 
predicate defines the logic that must hold true for the transition to be taken (refer to Table 
1). Local and global variables must meet these conditions. A number of transitions could 
be enabled, but, for a transition to be executed the state of the machine must be considered. 
The action column of the predicate-action table identifies the variable changes that must 
take place when the transition is executed. The program captures the essence of the 
predicate- action table by breaking the components of the table into subprograms. A 
subprogram in the Ada environment is a function, procedure, or package. Since the user 
must have access to a number of the subprograms they are represented as separate 
compilation units. 
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The first subprogram is the Analyze -Predicate function. A function is a 
subprogram that returns a value to the location in which it was invoked. It can only have 
input parameters.The function is handed the machine local variables and the system global 
variables as input parameters. Since more than one transition could be enabled, a stack is 
used to place all transitions that are enabled. A transition is pushed onto the stack if it is 
enabled and the function returns the entire transition _stack. From the transition _stack 
values and a pointer to the current state in machine adjacency matrix, a determination is 
made on which transition can actually be executed. There are a number of 
Analyze -Predicate functions, one for each machine. The template for the 
Analyze -Predicate function is shown in Figure 21. 

separate (main) 

function Analyze_Predicates_Machinel (local : machinel_state_type; 

GLOBAL : global_variable_t ype ) 
return transition_stack_package . stack is 

begin 



MakeEmpty ( transition_stack) ; ^ enabling condition 



if ( ) then 

Push (transition_stack, 
end if; 



return transition_stack; 
end Analyze_Predic'ates_Machinel ; 




enabled transition 



Figure 21: SCM, Analyze predicate function template. 

Once a transition is executed, changes must be made to some or all the variables. 
A procedure using a case statement was the simplest way to make the changes to the global 
state record. The Action procedure has three parameters: the transition that is executed and 
the current global state record are in parameters, and the updated global state record is the 
out parameter. The transition is passed into the procedure and a case statement determines 
which series of instructions are to be executed. These instructions make the appropriate 
changes to the protocol environment variables. The out _sy stem state is handed out of the 
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procedure containing the changed protocol variables. The template for the Action 



procedure is shown in Figure 22. 



separate (main) 

procedure Action ( in_system_state 

in_transition 

out_system_state 

begin 



in Gstate_record_type; 
in scm_transition_type; 
out Gstate_record_type) 



case (in transition) is 



enabled transition 



when 









is 




action taken 



when 

end case; 
end Action; 



others => 

put_line ("Error in the Action procedure"); 



Figure 22: SCM, Action procedure template 

The three subprograms that reflect the logic of the predicate-action table are 
grouped together in one file (predicate_action.a). The file for the stop_and_wait protocol 



separate (main) 

function Analyze_Predicates_Machinel (local : machinel_state_type ; 

GLOBAL: global_variable_type) 
return transition_stack_package . stack is 

begin 

MakeEmpty (transition stack); 

if ( (local. outjbuff T- a) and (GLOBAL. CHAN = E)) then 
Push ( transition_stack, xnrt_ data) ; 
end if; 

if (GLOBAL. RET = A) then 

Push (transition_stack, rcv_ack) ; 

end if; 

return t ransition_stack; 
end Analyze_Predicates_Machinel; 

separate (main) 

function Analyze_Predicates_Machine2 (local : machine2_state_type; 

GLOBAL: global_variable_type) 
return transition_stack_package . stack is 

begin 

MakeEmpty (transition_stack) ; 

if ( (GLOBAL. CHAN /= E) and (local . in_buff = e) ) then 
Push (transition_stack, rcv__data) ; 
end if; 

Push (transit ion_s tack , jattt_ack) ; 
return transition_stack; 
end Analyze_Predicates_Machine2 ; separate (main) 

separate (main) 
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procedure Action (in system_state : in Gstate_record_type; 

Tn_transition : in scm_transition_type ; 

out_system_state : out Gstate_record_type) is 

begin 

case ( in_t rans it ion ) is 
when (xmt_data) => 

out_ayatem_3tate . GLOBAL_VARI ABLE S . CHAN : = 
in_ayatem_atate .machine Instate . out_buf f ; 
when (rcv_ack) => 

out_aystem_state.GLOBAL_yARIABLES.RET := E; 
Out~ay3tem_atate.GL0BAL_VARIABLES.CHAN :=E; 
out_aystem_atate . machine2_atate . in_bu£f : = e ; 
when (xmt_ack) => 

out_syatem_atate.GLOBAL_VARIABLES.RET := A; 
when (rcv_data) =*> 

out_aystem_state .machine2_atate . in_buf f : = 
in_ayatem_atate . GLOBAL_VARXABLES . CHAN; 

when others -> 

put_line ("Error in the Action procedure"); 

end case; 
end Action; 



Figure 23: SCM, analyze_predicate.a, stopjand_wait. 

The bold text in the code indicates what the user provided as input to define the 
specification shown in the stop_and_wait predicate-action table (See Figure 16.) 

3. Finite State Machines 

/ 

The FSM’s are input as a text file during program execution. This file is built by 
the user with a set of language rules similar to the Backus-Naur Form (BNF) shown in 
Chapter III. The only change to the format of the input is the transition (trans) lines. In the 
CFSM model only send and receive transitions were allowed; whereas in the SCM model 
a transition can have any label that follows the enumeration rules. The lines of the text file 
are buffered and parsed. From the parsed line groups of strings called tokens are 
manipulated as described in Chapter HI. The list of valid instructions for finite state 
machine input is: 



start 

machine 

state 

initia Instate 

trans 

finish 



<natural> 

<natural> 

<natural> <natural> 

Enumeration literal> <natural> 
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The tokens are cast into either enumerated types (instructions) or integers (integer 
variables). The integer variables have been formally defined within the main procedure in 
Appendix B. The meaning of the instructions are found in Figure 24. 



start 

machine 

state 

initial_state 

trans 

finish 



Serves as a beginning flag for the file. 
Defines the current machine. 

Defines the current state. 

The intitial/start state for 
machines one and two. 

Transition type and next state. 

This token serves as an ending flag for 
the file. 



Figure 24: Input File definitions. 



Representation of a finite state machine using the above convention has some 

inherent constraints. Rules for constructing enumeration literals must be followed. For 

instance, the list of values in an enumeration literal can only be character literals and cannot 

contain a digit in the first position. The input file for stopjindjwait is shown in Figure 25: 

start 
machine 1 
state 0 

trans xmt_ data 1 
state 1 

trans rcv_ack 0 
machine 2 
state 0 

trans rcv_data 1 
state 1 

trans xmt_ack 0 
initial_state 0 0 
finish 

Figure 25: SCM, Input File, stop _and_wait. 

A data structure that contributes to the reachability analysis is the FSM adjacency 
list. The adjacency list was chosen as the structure to represent the directed graph of the 
Finite state machines. 

The actual data structure to build the adjacency list and the defined constraints 



are: 



. type machine_array_record_type; 

type Mlink_type is access machine_array_record_type ; 
type executed__type is (yes, no); 
type machine_array_record_type is 
record 

transition : scm_transition_type; 
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next_state : natural; 

executed : executed_type; 

Mlink : Mlink_type 

end record; 

type machine_array_type is array (positive rangeO) 
of Mlink_type; 

type system_array_type is array(1..2) 
of machine_array_type; 



The internal representation of the FSM adjacency lists are the same as Figure 12 
except the SCM adjacency lists do not have a message field. 

C. REACHABILITY ANALYSIS 

The process of generating the set of all states reachable from the initial state is called 
state reachability analysis. During the reachability analysis a check for deadlock, 
unspecified reception, and unexecuted transitions are done. The reachability analysis of a 
specific protocol is done in two phases. 

The first is to generate a global state reachability graph. This analysis constructs a 
graph, whose nodes are the reachable global states, and whose arcs indicate the transitions 
leading from each global state to another. The global state (node) contains the state of each 
machine and the values of all the variables. 

The second phase of the analysis is to generate an separate system state reachability 
graph from the global state reachability graph. The system reachability graph contains 
nodes with just the state information of each machine. The rules for the generation of new 
states will be discussed in Section 2. 

1. Global State Analysis 

The process of generating the set of all global states reachable from the initial 
global state is called global state analysis. This analysis produces a graph, whose nodes are 
the reachable global states, and whose arcs indicate the transitions leading from each global 
state to another. The global state of a system consists of the system state tuple, plus the 
values of all variables, both local and shared. The algorithm as it appears in [LUND 91a] is: 
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(1) Set each machine to its initial state, and all variables to their initial 
values. The initial set of reachable global states consists of the initial system 
state and the value of all variables; the initial graph is a single node 
representing this state. 

(2) From the current global state vector and variable values, determine 
which transitions are enabled. For each of these transitions, determine the 
global state which results from its execution. If this state (with the same 
enabled transitions) has already been generated, then draw an arc from the 
current state to it, labeling the arc with the transition name. Otherwise, add 
the new global state to the graph, draw an arc from the current state to it, and 
label the arc with the name of the transition. 

(3) For each new state generated in step 2, repeat step 2. Continue until 
step 2 has been repeated for each global state thus generated, and no more 
new states are generated. 

The algorithm above was modified to make use of the existing data structures 
introduced in the CFSM program. A psuedo-code algorithm to construct the global 
reachability graph is: 



create top JGstate pointer and initial node in Gstate -graph 
main loop 

for machine Jndex in 1 ..number _of Jnachines loop 

transition _stack := Analyze _predicate(machine Jndex, cur rent _G state) 
while transition _stack is not empty loop 

while current row of mac hine( machine Jndex) is not null loop 

if cur rent jGstate, transition = top of transition stack then 

perform Action procedure on current JGstate and place 
results in a temp JGstate 
search Gstate -graph for temp JGstate 
if temp JGstate found then 

insert temp JGstate in G state -graph 

Enqueue pointer to location in Gstate jx)inter_queue 

else 

link current Gstate to found Gstate 
set newjiode flag to false 

else 

traverse current row of machinef machine Jndex) 
end loop ~ machine row traversal loop 
Pop a transition from the transition -Stack 
end loop — transition loop 
if the Gstate j>ointerjqueue is not empty then 
Dequeue a pointer 

go to the appropriate row of mac hine( machine Jndex) 

else 

exit loop 

end loop — machine loop 
exception 

when Gstate ^pointer jqueue is empty then 
exit main loop 
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when Gstate _pointerjqueue is full then 
print error message 
exit main loop 

end mainjoop 



The data structures that are used in the program are defined in the specification 
of the main procedure and the definitions package. The machine states and variables along 
with the global variables are defined in the definitions package. The remaining data 
structures which are hidden from the user are:shown in Figure 26 

— data structures for the global state tuple (node) 
type global_state_type; 

type Glink_type is access global^ state_type; 

— transition structure 
type Gstate_transition_type is 
record 

Gtransition : scm_transition_type; 

new^node : boolean := true; 

Glink : Glink_type; 

executed : boolean :=» false; 

end record; 



r-global tuple structure 
type Gs t at e_re cor d_type is 
record 

machine Instate 
machine2__state 
global_variables 

end record; 



machinel_state_type; 
machine2__state__type; 
global_var iable_type ; 



— Global state node, contains transition, state, and link information 
— needed for building the global state graph 
type global_state_type is 
record 



no de_n umber 

Gtuple 

linkl 

link2 

link3 

link4 

end record; 



natural := 0; 
Gstate_record__type ; 
Gstate_transition_type; 
Gstate_transition_type ; 
Gstate_transition_type; 
Gstate_transition_type; 



Figure 26: SCM, global definitions. 



The data structure of the global node (global _state_type)e ncapsulates the 
information contained in the global state record. The global transition record has the type 
of transition and information about the node it is pointing to. If the node it is pointing to is 
a newly created node the new field is set to false, otherwise it maintains its initialized value 
of true. It also has a visited field, used during the construction of the system state 
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reachability graph. The internal representation of the graph generated by the algorithm for 
stop and wait protocol highlights all the data structure used (see Figure 27). 
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Figure 27: SCM internal global reachability graph, stop_and_wait. 
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2. System State Analysis 

System state analysis is similar to global state analysis. The number of states 
generated by the system state analysis is less than or equal to the number of states in the 
CFSM model or the global analysis of the SCM model. Only the states of the machines and 
the transitions from those states are considered when generating a new state. The formal 
steps in constructing a system state graph as it appears in [LUND 91a] is: 



(1) Set each machine to its initial state, and all variables to their initial 
values. The initial set of reachable system states consists of only the initial 
system state; the initial graph is a single node representing this state. 

(2) From the current system state vector and variable values, determine 
which transitions are enabled. For each of these transitions, determine the 
system state which results from its execution. If this state (with the same 
enabled transitions) has already been generated, then draw an arc from the 
current state to it, labeling the arc with the transition name. Otherwise, add 
the new system state to the graph, draw an arc from the current state to it, and 
label the arc with the name of the transition. 

(3) For each new state generated in step 2, repeat step 2. Continue until 
step 2 has been repeated for each system state thus generated, and no more 
new states are generated. 



The portion of the program that builds the system state graph makes use of the 
information already available in the global state graph. In the current version of the 
program the global reachability graph is constructed followed by the system reachability 
graph. Future versions would allow the user to select which analysis to perform but 
currently both are constructed and output The pointer to the initial global state is provided 
as an input parameter to the build_Sstate_graph procedure. The global state graph is 
traversed in a breadth first manner, as the nodes are visited the system state graph is 
constructed. If the system state graph were being constructed independently of the global 
state graph the algorithm would be very similar to the one in the previous section. Since the 
system state graph is being constructed based on only the global reachability graph the 
machine, matrices are not used. The psuedo-code algorithm for this approach is: 
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create topJSstate pointer and build initial ^Sstate node; 
main loop 

while( current GstateJink not null and not visited) loop 
visit a G state jgraph node using BFS traversal 
mark the link taken as visited 
create a temp Ji state with values of current JG state 
search Sstatejgraph for tempJSstate 
if tempJSstate found then 

insert tempJSstate in Sstatejgraph 

else 

link current Sstate to found Sstate 
set new jiode flag to false 

end loop 
end main loop 



The data structures for the system state graph construction, except for the 
transition labels, are completely hidden from the user. The system related data structures as 
they appear in the main procedure are shown in Figure 28. 



type system_state_type; 

type Syslink_type is access system_state_type ; 



— transition structure for system state 
type Sstate_transition_type is 
record 



Stransition 

new_node 

Syslink 

end record; 



scm__transition_type ; 
boolean ;= true; 
Syslink_type ; 



type Sstate_record_type is 
record 

machine Instate : natural : = 0/ 

machine2__state : natural := 0; 

end record; 



— system state structure 
type system_state_type is 
record 

node_n umber 

Stuple 

linkl 

link2 

link3 

link4 

end record; 



natural := 0; 
Sstate_record_type; 
Sstate_transition_type; 
Sstate_transition_type ; 
Sstate_transition_type ; 
Sstate_transition_type;- 



Figure 28: SCM, system definitions. 

To follow through with the stop_and_wait analysis example, an internal 
representation of the system state graph is shown in Figure 29. Although this example does 
give a graphical picture of how the data structures are used it does not show the advantages 
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of a system state analysis over global state analysis. Examples covered in Chapter V 
illustrate how much smaller system state graphs can be when compared to the global 
analysis graphs. 
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Figure 29: SCM internal system reachability graph, stop_and_wait. 
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D. OUTPUT 



Output of the analysis is provided to a text file and to a default device(workstation 
display). Figure 32 shows a captured image of default output to a workstation screen for 
stop_and_wait. There are features available to allow the user to step through the output one 
screen at a time. Output messages are provided to the user when a deadlock, unexecuted 
transition, or an unspecified reception occur. A message is also displayed when the length 
of the graph exceeds the bounds defined by the user (capacity of the channel is exceeded.) 
The contents of the machine adjacency lists are also output. 

The user may format output for the global state graph. This is done through the file 
user_ouput.a. The procedure, output _G tuple, contained in the file allows the user to format 
the variables for default output.The template for output procedures are found in Figure 30. 

separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin 

put (" [" & integer' image (tuple .machinel_state . state_number) & " , ") ; 

■ ► user defined format of variables using text_IO 

put <" & integer' image (tuple .machine2_state . state_number) & " ] ") ; 

end output_Gtuple; 

separate (main) 

procedure output_Gtuple_to_file (tuple : in out Gstate_record_type) is 
begin 

put (reach," (" & integer' image (tuple .machinel_state . state_number) ) ; 

‘fcfined format of variables using text.IO 

put (reach, " , " & integer' image {tuple .machine2_state . state^number) & 

" ] ") ; 

end output_Gtuple_to_f ile; 

Figure 30: SCM, output jGtuple procedure template. 

An example of how a user could format output is given for the stop_and_wait protocol 
is given in Figure 3 1 

separate (main) 

procedure output_Gtuple (tuple : in out Gs t at e_rec o rd_t ype ) is 
begin 

put (" [" & integer' image (tuple .machinel_state . state_number) 

put (tuple .machine Instate . out_Jbuff, set => lower-case) ; 
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put (" , *) ; 

put (tuple . GLOBAI»__VARIABLES . CHAN, set => uppercase); 
put ( n , ") ; 

put (tuple . GLOBAL_VARIABLES .RET , set => uppercase) ; 
put (" , "); 

put (tuple. machine2_state.in_buff, set => lower_caae) ; 

put(" ," & integer' image (tuple .machine2_state . state_number) 

& " ] ") ; 

end output_Gtuple; 
separate (main) 

procedure output^ Gtuple_to_f ile (tuple : in out Gstate_record_type) is 
begin 



put (reach," [" & 

integer' image (tuple .machinel_state . state_number ) & " , ") ; 

put (reach, tuple, machine Instate . out_Jbuff, set => lower-case) ; 
put (reach," , ") ; 

put (reach, tuple . GLOBAL_VARIABLES . CHAN, set => uppercase) ; 
put (reach," , xs ) ; 

put ( reach , tuple . GLOBAL_VARIABLES . RET , set => upper_case ) ; 
put (reach," , "); 

put (reach, tuple. machine2_st ate. in_buff, set => lower_case) ; 
put (reach," , " 6 

integer' image (tuple .machine2_st ate . st at e_number) & " ] ") ; 
end output_ Gtuple_to_f ile; 

Figure 31: SCM, output format, stop_and_wait. 

Consistent with previous examples the boldface code is that which the user 
provides. The user does not provide any parameters for system state output. The output 
shown in Figure 32 was formatted according to the procedures usjed above. 
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REACHABILITY ANALYSIS of : stop_and_wait 



Global State GRAPH 
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3 
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E , e , 0 ] 
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System State GRAPH 
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Figure 32: SCM, analysis output, stop_and_wait. 
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V. AN AUTOMATED ANALYSIS OF SELECTED DATA LINK 

PROTOCOLS 



In this section the programs that were developed in the last two chapters will be 
demonstrated. Some well known data link protocols will be analyzed using the CFSM and 
SCM programs. The CFSM program will be used to analyze the alternating bit and the 
sliding window protocols. The SCM program will be used to analyze go_back_n and 
selective repeat protocols. In each analysis the specification will be described; the program 
input and results are in the Appendices of this publication. 

A. CFSM MODEL 

The examples used as input show the advantages of the CFSM program. The 
alternating bit protocol analysis was chosen as a simple class of protocols. The sliding 
window with a window size of three shows how a graphically complex protocol can be 
analyzed quite easily. 

I. Alternating Bit Protocol 

The specification of the alternating bit protocol will be used as the first example 
for the CFSM program. The protocol consists of two machines. Machine one serves as a 
sender and Machine two as the receiver. The sender sends a message(-X) to the receiver. 
The receiver then accepts the message (+X) and sends an acknowledgment (-A). The 
acknowledgment at the machine level is done with the toggling of a bit, wherein the name 
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alternating bit is derived. The sender is clear to send another message when the 
acknowledgment is received. 



M achine. I Machine! 




Figure 33: CFSM specification, Alternating Bit. 

The input file for the specification is 

start 
machine 1 
state 1 
trans -X 2 
state 2 
trans +A 3 
state 3 
trans -Y 4 
state 4 
trans +B 1 
machine 2 
state 1 
trans *X 2 
state 2 
trans -A 3 
state 3 
trans +Y 4 
state 4 
trans -B 1 
initiaLstate 1 1 
finish 



The analysis of the alternating bit specification is: 
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REACHABILITY ANALYSIS of : output *alt_b it 
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* The nodes generated by the analysis 
were done in a breadth first manner 



2. A More Complex Example: The Sliding Window Protocol. 

The analysis of a sliding window protocol is a more complex example. To 
represent the protocol as a set of graphical finite state machines can be quite tedious. The 
essence of the protocol must be captured with the use of transitions, oftentimes this can lead 
to an intricate diagram as in this example. 

The sliding window protocol can also be represented as a two machine CFSM. 
As in the previous example, Machine one is the sender and Machine two is the receiver. At 
any instant of time the sender maintains a list of consecutive sequence numbers 
corresponding to frames it is permitted to send[TANE 81] These frames are said to fall 



61 



within the sending window. The receiver also maintains a receiving window corresponding 
to frames it is permitted to accept. The sending window and the receiving window need not 
have the same ‘lower and upper limits, or even have the same size. 

A window size of three is used in the specification given in Figure 34. The 
messages or packets are shown as transitions labeled X, Y, and Z and the acknowledgments 
are A, B, and C. 

Machine, L Machine. Z 





Figure 34: CFSM specification, sliding window (w=3). 
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The text file of the specification is: 



start 
Machine 1 
state 1 
trans -X 2 
state 2 
trans *B 7 
trans -Y 3 
state 3 
trans *B 8 
trans +C 4 
state 4 
trans -Z 5 
state 5 
trans -X 6 
trans +ft 1 
stats 6 
trans *ft 2 
trans ♦B 7 
state 7 
trans -Y 8 
stats 8 
trans -Z 9 
state 9 
trans +C 5 
trans ♦ft 1 



Machine 2 
state 1 
trans ♦X 2 
state 2 
trans ♦Y 3 
state 3 
trans -C 4 
state 4 
trans ♦Z 5 
state 5 
trans +X 6 
state 6 
trans -B 7 
state 7 
trans *Y 8 
state 8 
trans -Z 9 
state 9 
trans -ft 1 
lnltial.state 1 1 
finish 



The analysis of the specification as contained in the output text file 
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The unexecuted transitions account for error control. Error control refers to 
mechanisms to detect and/or correct errors that occur in the transmission of information. So 
the unexecuted transitions identified in Machine 2’s array are transitions that would have 
been executed if a loss of a message had occurred. Error and time-out transitions are not 
shown in the CFSM. 

B. SCM MODEL 

The examples used as input validate the use of the SCM program as a tool to verify 
protocols. The go_back_n protocol was analyzed first due to the availability of prior 
modelling done using SCM. The output of the program were compared to the manual SCM 
modelling results of this protocol. The s elective repeat specification provided additional 
evidence as to the programs validity as well as demonstrating how it can be used to improve 
a specification. In both examples it must be shown that the use of the analysis should help 
the designer or reviewer to gain a greater understanding of the protocol, as well as in 
detecting errors. 

The analysis of any protocol using this program contains varying information. A 
global reachability graph and system reachability graph are provided. Following the graph 
is a description of the contents of each machine array upon termination of the graph 
construction. Error messages (deadlock, unspecified reception, and unexecuted transitions) 
are placed at the point in the analysis where they occur. The system state graph will be used 
in this section to provide a means to validate output results. The system state graph can be 
viewed as a three dimensional object whose tuple values provide a vector to 3 dimensional 
space. 

1. Go Back N 

The first protocol which was chosen to model is a go_back_n protocol with a 
variable window size, which is a subset of the High-level Data Link Control (HDLC) class 
of protocols. There are two machines in the system, a sender(m/) and a receiver (m 2 ). The 
sender sends data blocks to the receiver, which are numbered sequentially, 0, 1,..., w, 0, 1,... 
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for a window size of w. The maximum number of data blocks which can be sent without 
receiving an acknowledgment is w, the window size.The receiver, m 2 t receives the data 
blocks and acknowledges them by sending the sequence number of the next block expected 
(which is stored in local variable exp). The shared variables DATA and SEQ are used to 
pass messages from sender to receiver, and the shared variable ACK is used to pass 
acknowledgments back to the sender. The receiver may acknowledge any number of blocks 
received up to the window size. Upon receiving the acknowledgment, the sender must be 
able to deduce how many data blocks are being acknowledged. This is done by observing 
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the difference between the values of the received acknowledgment and the sequence 
number of the last data block sent. 





seq : ( 0 , 1 , , w ) 
i : ( 1 , 2 w ) 



machine 2 




Rdata : 



exp : ( 0 , 1 , ... , w ) 
j : ( 1 , 2 , ... , w ) 



Transition 


Enabling Predicate 


Action 


-D . 


DATA(i)=E A SEQ(i)=E 


DATA(i) := Sdata(i) 
SEQ(i) ;= seq 
inc(i,seq) 
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ACK © k = seq A 

ACK*E 

(next state : k) 


ACK := E 


+D 


DATA (J) * E A SEQ(j)=exp 


Rdata DATA(j) 
DATAfj). SEQ(j) := E 
inc(j.exp) 


-A 


DATA(j)=E 
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Figure 35: SCM specification, Go Back N, window size of l..w. 
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The general specification of the protocol is given in Figure 35. Included in this 
figure are the state machine diagrams, variables and the predicate action table. Initially, 
both sender and receiver are in state 0, arrays DATA and SEQ are empty, and ACK is 
empty. The domains of DATA, Rdata and Sdata are not specified; these are used to hold 
user data blocks. Sdata and Rdata are the interface or access points of the higher layer (user) 
protocol. The local variables for the sender are Sdata, used to store data blocks, seq, used 
to store the sequence number of the next data block to be sent out, and i, used as an index 
into the DATA and SEQ arrays. Initially seq is set to 0, and i is set to 1. The local variables 
of the receiver are Rdata, exp , and j. Rdata is used to receive and store incoming data 
blocks, exp to hold the expected sequence number of the next incoming data block, and j is 
an index into the shared arrays DATA and SEQ. 

There are four basic types of transitions described in the predicate action table. 
In the sender the -D transition transmits a data block by placing it into the shared variable 
— DATA(i), and the sequence number into SEQ(i). The send is enabled whenever those 
variables are empty. The receive transition in the receiver, m. 2 t is enabled whenever a data 
block of the appropriate sequence number is in the jth element of DATA and SEQ. An 
acknowledgment may be sent by m 2 in any state except 0, in which case no 
unacknowledged data blocks have been received. The +A is a receive transition. If mj is in 
state u, 1 < u < w, and there is a nonempty value in shared variable ACK, then exactly one 
of the transitions +Aq , +Aj,..., +A w .j will be enabled; it will be that A ^ such that the 
predicate ACK @k = seq is true, and the next state is k. In the state diagram, all of the 
transition +A^ are shown using the same vertical line. 

a. Input of variable definitions. 

A sample interaction using the program for the analysis of go_back_n, w=l, consists of input 
files and an output file. The variable definitions contained in the user specification file are: 
package definitions is 

type scm_transition_type is (snd_data, rcv_data, 

snd_ack, rcv_ack0, unused) ; 
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type buffer_type is ( d,e,a ); 

type buf fer_array_type is array(l..l) of buf f er_type; 
type seq_array_type is array(l..l) of integer range -1..1; 

type machinel_state_type is 
record 

state_number : natural :* 1; 

Sdata : buf fer_array_type :=* (others=>d) ; 
seq : integer range 0..1 := 0; 
i : integer range 1..1 1; 

end record; 

type machine2_state_type is 
record 

state — number : natural := 1; 

Rdata : buffer_ type := e; 
exp : integer range 0..1 := 0; 
j : integer range 1..1 :® 1; 

end record; 

type global_variable_type is 
record 

DATA : buf fer_array_type :* (others=>e) ; 

SEQ : seq_array_ type (others=>-l) ; 

ACK : integer range -1..1 := -1; 
end record; 

end definitions; 

b. Input of predicate analysis . 

The analyze predicate functions e contained in the predicate_action.a file are: 

function Analyze_Predicates_Machinel ( local : machinel_state_type; 

GLOBAL : global_variable_type ) 
return transition_stack_package . stack is 
tempi : integer := GLOBAL. ACK + 0; 

begin 

MakeEmpty (transition_stack) ; 

if ( (GLOBAL. DATA (local. i) =E) 

and (GLOBAL . SEQ ( local . i) = -1)) then 

Push ( transition_stack, snd_data) ; 
end if; 

if ((tempi = local. seq) and (GLOBAL. ACK /= -1)) then 
Push (transition_stack, rcv_ack0) ; 
end if; 

return transition_stack; 
end Analyze_Predicates__Machinel ; 

function Analyze_Predicates__Machine2 (local : machine2__state_type; 

GLOBAL : global_variable_type ) 
return transition_stack_package . stack is 
begin 

MakeEmpty (transition_stack) ; 
if ( (GLOBAL. DATA (local. j) /=E) 
and (GLOBAL . SEQ ( local . j ) - local. exp)) then 
Push (transition_stack, rcv_data)‘; 
end if; 

if (GLOBAL. DATA ( local. j)=E) then 

Push (transition stack, snd ack); 
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end if; 

return transition_stack; 
end Analyze_Predicates_Machine2; 



c. Input of action table • 

The action procedure is also a separate compilation unit contained in the predicate_action.a 



file: 



procedure Action (in_system_s t ate : in out Gstate_record_type; 

in — transition : in out scm_transition_type; 
out_system_state : in out Gstate_record_type) is 

temp : integer := 0; 

begin 

case (in_transition) is 
when (snd_data) => 

out_system_state .GLOBAL_VARIABLES . 

DATA ( in_system_state .machine Instate . i) : = 
in_system_state.machinel_state . 

Sdata ( in_system_st ate .machine l_st ate . i) ; 
out_system_state .GLOBAL__VARIABLES . 

SEQ (in_system_state .machine l_st ate .i) := 

in_ system_state ,machinel_state . seq; 
out_system_state ,machinel_state . i :* 

( ( (in_system_state .machinel_state . i) + 

1 ) mod 1 ) + 1; 

out_system_state .machinel_state . seq := 

( ( (in_system_state .machinel_state . seq) ' 
+ 1 ) mod 2 ) ; 
when (rcv_ackO) => 

out_system_state . GLOBAL_VARIABLES .ACK := -1; 
when (snd_ack) => 

Out_system_state.GLOBAL_VARIABLES .ACK := 
in_system_state .machine2_state . exp; 
out_system_st ate .machine2_st ate . Rdata : = e ; 
when (rcv_data) => 

out_system_state .machine2_state .Rdata := 

in_system_state . GLOBAL_VARIABLES . DATA 
(in_system_state .machine2_state . j) ; 
out_sys tem_st ate .GLOBAL_VARIABLES .DATA 

(in_system_state .machine2_state . j ) := E; 

out_system_state . GLOBAL_VARIABLES . SEQ 

(in_system_state .machine2_state . j ) := -1; 

out_system_st ate . machine2_st ate . j : = 

( ( (in_system_state .machine2_state . j ) 

+ i ) mod 1 ) + 1 ; 

out_system_state .machine2_state .exp := 

( ( (in_system_state .machine2_state .exp) 

+ 1 ) mod 2 ) ; 
when others => 

put_line ("There is an error in the 
. Action procedure") ; 

end case; 
end Action; 
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<L Input of finite state machines . 

And, finally, the input file for the finite state machines is: 

start 

♦ machine 1 

state 0 

trans snd_data 1 
state 1 

trans rcv__ackO 0 
machine 2 
state 0 

trans rcv_data 1 
state 1 

trans snd_ack 0 
initial_state 0 0 
finish 

e . Output of analysis. 

The output of the analysis is: 



REACHABILITY ANALYSIS of : 90 -back_n_wl 
Global State GRAPH 



0 


t o 


,0,0,1 




0,1, 


E 


, -1 


0 


-1 ] 




srd.data 


1 


1 


C 1 


,0,1,1 


, 


0,1, 


D 


, 


0 




-1 ] 




rcv.data 


2 


2 


C 1 


,1,1,1 


, 


1,1, 


E 


, ■ 


■1 


, 


-1 ] 




snd.ack 


3 


3 


[ 1 


,0,1,1 


, 


1,1, 


E 


, ■ 


-1 


, 


1 ] 




rcv.ackO 


4 


4 


[ 0 


,0,1,1 




1,1, 


E 




-1 


/ 


-1 ] 




srd.data 


5 


5 


1 1 


,0,0,1 




1,1, 


0 




1 


, 


-1 ] 




rcv.data 


6 


6 


1 1 


,1,0,1 


, 


0,1, 


E 


, ■ 


-1 


, 


-1 ] 




srd.ack 


7 


7 


[ 1 


,0,0,1 


' 


0,1, 


E 




-1 


, 


0 ] 




rcv.ackO 


0 






Systen 


State GRAPH 
















0 


[0,0] 




snd.data 


C 


1 




0 ] 


1 








1 


[1,0] 




rcv.data 


[ 


1 


, 


1 ] 


2 








2 


[1,1] 




snd.ack 




[ 


1 




0 ] 


3 








3 


[1,0] 




rcv.ackO 


[ 


0 


, 


0 ] 


0 







Hachine 1 fVray Contents 



1 Fro* 


1 To 1 


1 Transition 1 


Executed 1 


1 0 


1 1 1 


1 snd.data 1 


yes 1 


1 1 


1 0 1 


1 rcv.ackO 1 


yes 1 




1 Machine 2 Array Contents 1 


1 Fro* 


1 To 1 


1 Transition 1 


Executed 1 


1 0 


1 1 1 


1 rev. data 1 


yes 1 


1 1 


1 0 1 


1 snd.ack 1 


yes 1 
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The output indicates that no errors were encountered. The format for the variables are user 
dependent and, for brevity sake, the code for formatting the output was not included 

/. System state analysis. 

System state analysis is similar to the reachability analysis used with the pure finite state 
machine model, but the total number of states which must be generated with system state analysis is 
significantly smaller. 

The system state analysis for a window size of 1 is shown in Figure 36.The subscripts are 
used so that distinct system states having the same tuple may easily be distinguished The convention is that 
the subscript is initially 0, and is increased whenever a “-A” transition is taken, by the number of messages 
which are being acknowledged. 




Figure 36: SCM, system state analysis, Go BackN , w=l. 

The analysis for w=2 is shown in Figure 37. The initial states and variable values are the 
same as for the w=l, however there are clearly more states in the analysis. 

In a comparison between window sizes of 1 and 2, it is noted that the smaller graph is a 
subgraph of the larger, either can be obtained from the other. If the subscripts are taken as the third coordinate 
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in a 3*dimensional cartesian coordinate system, with the states of each machine as the first two coordinates. 
The graph then is the shape of a tetrahedron, with edges which are directed and labeled. 




The graphs contained in Figure 36 and Figure 37 are defined with respect to a window size 
w. The graphs, DTl(w) for a nonnegauve integer w is a labeled, directed graph, defined by the tuple 
({/, E, L, <t>) , where N = { (x, y, z)| (0< z < w, z<x< w, 0< y < x-z) } is a finite set of nodes, where each 

node is specified by an ordered triple; L={-D, +D, -A, +A o, +Aj +A W . 1 } is a finite set of label; the set E 

of edges is a set of ordered pairs ((xy, y;, z /), (xy, y 2 , z 2 )) of nodes from N, and is the union of the following 
four sets: 

El = {((x.y. z), (x+l,y. zj)/(x, y, z)eN, x< w) 

E 2 = {( (x.y, z), (x, y+1, z))/(x,y, z)eN, y<x-z) 

E 3 = {((x,y.z),(x,0,y+z))/(x.y,z)eN. (y = x-z),x>z) 

E 4 = {((x. y. z), (x-z, y, 0))/(x, y,z)<=N,z> 0 ) 

and the mapping <b(L*~ E) is defined as follows: 
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VU^:)e£j,<t»Uy,z) = -D 
VUy t z)e£ 2 ,<l>Uj,z)= + D 
V ( x,y , z) € Ey <t> (x, y , z) = r A 
V (x, y, z) e £ 4> <X> (x, y, z) = + , where *=x-z 

Each node of the graph can be thought of as a point in 3-dimensionai space, with nonnegative, 

integral coordinates (x,y,z). The structure of the graph is a sequence of w+7 triangles, one on top of the other, 

with the largest triangle at the bottom and the smallest is a single point at the top level. 

One of the nice features of the geometric structure of this graph is that the state of the system 

can be easily inferred from the x, y, z coordinates. For example, in Figure 37, point (2,1,0), or system state 

[2,1]0, the sender has transmitted 2 data blocks for which no acknowledgment has yet been received, the 

receiver has received 3 of these, but acknowledged non. 

Let f(w) be the amount of nodes in a system state graph and g(w) be the amount of nodes in 

the global reachability graph. The equations for g(w) and f(w), and the lemmas that support them, for the 

go_back_n protocol are found in [LUND 91a]. For instance, the graph DTl(w) has 
» 

f(w) = \ w 3 + w 2 + w + l . The size of the graphs according to window size are: 

6 6 



w 


f(w) 


g(w) 


0 


1 


1 


1 


4 


8 


2 


10 


60 


3 


20 


240 


4 


35 


700 


5 


56 


1680 


5 


84 


3528 


7 


120 


6720 



The output of the program for this protocol was compared to values for f(w) and g(w). Test 
runs were done for window sizes of 0 thru 5 and the amount of nodes in each graph were consistent with the 
table above. The specification input files and the output is in Appendices E through H. 
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2. Selective Repeat 



The next analysis is the selective repeat protocol.The specification defined in 
[BENV 91]and [STAL 91] has been modified as follows. There are two machines in the 
system, a senderfm;) and a receiver (m 2 ). The senders (mj) initial state is 0. Two 
assumptions were made for the analysis. First, all the packets transmitted were received 
without error and second, no packets were lost or reordered during the transmission. 

The specification for the sender is found in Figure 38. As the buffer manager 
places data in the next available sequence number, the sender places the packet on the 
channel and increments the index for the next packet to be transmitted. As long as the next 
packet is not empty, the sender will continue this process until the bottom state on the finite 
state machine is reached, indicating the transmission of a full window. Acknowledgments 
(ACK) are passed to the transmitter as they are received. If an ACK is received then the 
transmitter must determine if the window may be opened and if so, how far. If the ACK is 
not for the first packet in the window then the flag ack_rec is set, indicating that the packet 
was received correctly. The window is not advanced because packets that were transmitted 
earlier are still outstanding. The sequence number within each ACK represents the actual 
sequence number of the packet received and not the sequence number of the next expected 
packet, as is common in many protocols. 

When an ACKs for the first packet in the window is received the machine clears 
its buffer, advances the window, and looks at the next sequence number. If the packet has 
not been received, then that becomes the beginning of the window. If it has been received 
then the next sequence number is examined until the earliest outstanding packet is found or 
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the window is fully opened. ACKs that do not correspond to any of the sequence numbers 



within the current window are ignored. 



machine 1 





out_buff : [ [ • * * 

ack_rec : [~ » • » 

i : ( 0 , 1 , ... , w ) 
current : ( 0 , 1 , , w ) 
hold : ( t , f ) 



machine 2 




in_buff : 
pkt_rec : 

j : 

current : ( 0 , 1 , ... , w ) 



1 2 



w 



( 0 , 1 , ... , w ) 



Transition 


Enabling Predicate 


Action 


■D 


outJ?uffer(i) 1= E A 
hold = / 


DATA(i) :=out_buffer(i) 
inc(i) 

if(i=w) hold ;= t 


+A 


ackjec(i) =/ A 
CONTROL=A(i) 


ack rec(i ) := t 
CONTROL(i) := E 


>3 

O 

IA 

A 

S 


true 


ack rec(i) :=/ 
hold . -/ 


-A 


CONTROL(j)=E A 
pkt_rec(j)=t 


CONTROL(j) := A(j) 
pkt_rec(j) . =/ 
in_buff(j) := e, inc(j) 


+D 


pkt_rec(j)-f 


in buff(j) := DATA(j) 
DATA(j) := E 
pkt_rec(j) :=i 



Figure 38: SCM specification, Selective Repeat, window size of l..w. 
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The receiver as shown in Figure 38 follows the specification given in the 
predicate action table. The initial state of the receiving machine is 0. Any packets that are 
received with sequence numbers outside of the window are dropped. If a valid data packet 
is received then the +D is taken, based upon whether the sequence number of the received 
packet is equal to i s . If the sequence number is not i s then the flag pktjec is set to t and the 
packet is stored. If it is equal to i s , then the pkt_rec is set, the packet is released to buffer, 



and is incremented until a sequence number with pkt_rec-f is found. 



A sample interaction using the program for the analysis of selective repeat, 
w=l, consists of input files and an output file. The variable definitions contained in the user 
specification file are: 



package definitions is 

type scrn_transition_type is (snd_data, rcv_data, 

snd_ack, rcv_ack, 
adv_winl, unused) ; 
type buffer_type is (dl,e,al ); 
type boolean_type is (t, f); 

subtype ack_buf f er_type is buffer_type range e..al; 
subtype data_buf f er_type is buffer_type range dl..e; 

type ack_array_type is array(l..l) of ack_buf fe r_type ; 
type data_array_type is array(l..l) of data_buf fe retype; 



type boolean_array_type is array(l..l) of boolean_type ; 



type machinel_state_ type is 
record 

state_number : natural 

out_buffer : data_array_type 

ack_rec : boolean_array_type 

current : integer range 1..1 

hold : boolean_type 

end record; 



= 0 ; 

= (dl) ; 

:= (others=>f) ; 
:= 1 ; 



f; 



type machine2_state_type is 
record 

state_number : natural 

in_buffer ; data_array_type 

pkt_rec : boolean_array_type 

end record; 



= 0 ; 

= (others=>e) ; 
= (others=>f) ; 



type global_variable_type is 
record 

DATA : data_array_type := (others=>e) ; 

CONTROL : ack_array_type ‘ := (others=>e) ; 

end record; 

end definitions; 
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a. Input of predicate analysis. 



The analyze predicate functions contained in the predicate_action.a file are: 

function Analyze_Predicates_Machinel (local : machine l_state_type; 

GLOBAL: global_variable_type) 

return transition_stack_jpackage . stack is 
begin 

MakeEmpty ( transition_stack) ; 
if (local .out_buffer (1) /= E) then 
Push (transition_stack, snd_datal) ; 
end if; 

if ( (local. ack_rec (l)=f) and GLOBAL. DATA=A1) then 
Push (transition_stack, rcv_ackl) ; 
end if; 

Push (transition_stack, adv_winl) ; 
return transition_stack; 
end Analyze_Predicates_Machinel; 

function Analyze_Predicates_Machine2 ( local : machine2_state_type; 

GLOBAL: global_variable_type) return 

transition_stack_package . stack is 
begin 

MakeEmpty (transition_stack) ; 

if ( (GLOBAL. DATA - Dl) and (local .pkt_rec (1) =f) ) then 
Push (transition_stack, rcv_datal) ; 
end if; 

if (local .pkt_rec (1) =t) then 

Push (transition_stack, snd_ackl) ; 
end if; 

- return transition_stack; 
end Analyze_Predicates_Machine2 ; 



b. Input of action table. 

The action procedure is also a separate compilation unit contained in the predicate_action.a 



file: 

procedure Action (in_system_state : in out Gstate_record_type ; 

in_transition : in out scm^transition_type; 
out_system_state : in out Gstate_record_type) is 

temp : integer := 0; 

begin 

case (in_transition) is 
when (snd_datal) => 

out_system_state .GLOBAL_VARIABLES .DATA := 

in_system_state .machinel_state . out_buf fer (1) ; 
when (rcv_ackl) => 

out_ system_state .machinel_state . ack_rec (1) :=t; 

out_system_state . GLOBAL_VARIABLES .DATA :=e; 
out_system_state .machinel_state . current := 1; 
when (rcv_datal) => 

out_system_state .machine2_state . in_buf fer (1) := 

in_system_state . GLOBAL_VARIABLES .DATA; 
out_system_state.GLOBAL_VARIABLES .DATA := e; 
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out_system_st ate .machine2_ state • pkt_rec (1) : = t; 
when (snd_ackl) => 

out_system_sta te „ GLOBAL_VARIABLES . DATA : = al; 
out_system_state .machine2_state .pkt_ rec (1) : = f; 
out_system_state .machine2_state . in_buf fer (1) := e; 

when (adv_winl) =*> 

out_system_state .machine Instate . ack_rec 

(in_sy sternest ate .machine Instate . current ) := f; 

when others *> 

put_line ("There is an error in the Action procedure") 
end case; 
end Action; 



c. Input of finite state machines . 

And, finally, the input file for the finite state machines is: 

start 
machine 1 
state 0 

trans snd_datal 1 
state 1 

trans rcv_ackl 2 
state 2 

trans adv_winl 0 
machine 2 
state 0 

trans rcv_datal 1 
state 1 

trans snd_ackl 0 
initial_state 0 0 
finish 



& Output of analysis. 

The output of the analysis is: 



78 



REACHABILITY ANALYSIS of ; sel.rep.ul 



Global State GRAPH 
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1 Machine 1 fr*roy Contents 1 
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1 1 


1 snd.datal 1 


yes 1 


1 1 


1 2 


1 rcv.ackl 1 


yes 1 


1 2 


1 0 


1 adu.winl 1 


yes 1 




I Machine 2 Array Contents 1 
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1 To 


1 Transition 1 


Executed 1 


1 0 


1 1 


1 rcv.datal 1 


yes 1 


1 1 


1 0 


1 snd.ackl 1 


yes 1 



e. System state analysis . 

The system state analysis for a window size of 1 is shown in Figure 39.The subscripts are 
used so that distinct system states having the same tuple may easily be distinguished. The convention is that 
the subscript is initially 0, and is increased whenever a - A transition is taken, by the number of messages 
which are being acknowledged The analysis for w=2 is shown in Figure 40. As previously pointed out initial 
states and variable values are the same as for the w=l, however there are clearly more states in the analysis. 
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Figure 39: SCM, system state analysis, Selective Repeat , w=l. 




Figure 40: SCM, system state analysis, Selective Repeat , w=2. 

The graphs contained in Figure 39 and Figure 40 are the basis to the definition of a window 
size of w. The graphs, SRl(w) for a nonnegative integer w is a labeled, directed graph, defined by the tuple 
(jV, £,L, <1>) , where N = { (jc, y t z)\ (0<z<w, z<x< 2 w, 0<y<jc-r)} is a finite set of nodes, where 
each node is specified by an ordered triple; L={-D, +D, - A , +A, R w .j} is a finite set of label; the set E 
of edges is a set of ordered pairs ((xy, yy, zy), (xy, y 2 , z 2 )) of nodes from N y and is the union of the following 
four sets: 
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Ei - {((x, y, z), (x+w, y, z))/(x, y, z) eN, x<w) 

E 2 = {((x. y, z), (x, 1, 0))/(x, y, z) eN, y + z < x) 

E 3 = {((x, y, z), (x, y-1, z+l))/(x, y, z) eN, x>z) 

E 4 = {((x, y, z). (x+1, y, z))/(x, y,z) eN, y + z<x) 

E 5 = {((x, y. 2 ), (x-(w+k), y, z))/(x, y, z) eN, x- (y + z) <k) 

and the mapping <&(£,<-£) is defined as follows: 

V (x, y, z) € £,, <t> (x, y, z) = -D 

V ( x, y, z) € £* <t> (x, y, z) = +D 

V (x, y, z) € E y <t> (x, y, z) = -A 

V (x, y, z) € E v <I> (x, y, z) = +A 

V (x, y, z) € E 5 , <t> (x, y, z) = /?*, k = \ w -x| 

As wjth the go_back_n analysis, each node of the graph can be thought of as a point in 3- 
dimensional space, with nonnegative, integral coordinates (x.y.z). The structure of the graph is a sequence of 
w+1 triangles, one on top of the other, with the largest triangle at the bottom and the smallest is a single point 
at the top level. 

/ 

Let f(w) be the amount of nodes in a system state graph. The lemmas that support it, for the 

2 2 

selective repeat protocol are found in [JENS 92]. The graph SRl(w) has /(w) = w + (w + 1) . The size 

of the graphs according to window size are: 



w 


f(w) 


0 


1 


1 


5 


2 


13 


3 


25 


4 


41 



Test runs were done for and the amount of nodes in each graph were consistent with the table 
above. The specification input files and the output is in Appendices I and J. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 



In this thesis, a program was introduced that analyzed network protocols using the 
CFSM and SCM models. The program was successfully developed in an Ada environment. 
The Ada tools that made implementing the models easier were encapsulation, information 
hiding, generic programming units. 

In Ada, network protocol specifications can be represented in an intuitive manner. The 
finite state machines and the associated predicate action tables were converted to Ada 
language parameters for the analysis. The language environment enforces the rules of the 
protocol as well as the allowable behavior of all the variables. Dynamic construction of 
reachability graphs allowed the user to determine how large or small an analysis should be. 
The protocol designer or engineer that uses this program can quickly become familiar with 
the behavior of the protocol by simply constructing the Ada specification. It is interesting 
to note that due to the automated specification analysis some previous work using the SCM 

model has since been modified. The analysis provides information on occurrences of 

/ 

deadlock, unspecified reception, unexecuted transition, and message flow exceeding 
channel capacity. 

The programming environment provided an adequate platform to develop the 
program. The ability to use encapsulation, information hiding, tasking, and generic code 
allowed the program to be developed in a step-wise, compartmented fashion. The 
availability of a powerful debugger (DBX) enhanced the transition from developing to 
testing the program. To allow for a more transportable product this program might be 
converted to C or C++, so that others may benefit from its use. 

The program was validated with previous work done on widely used protocols. In 
Lundy’s papers [LUND 88], [LUND 91a], [LUND 91b], [LUND 92a] and [LUND 92b] a 
number of protocols were manually analyzed using the SCM model. A subset of those 
analysis were performed using the program, achieving identical results.lt is interesting to 
note that due to the automated analysis of previous work using the SCM model, some 
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specifications have had to be modified. In must also be noted that example analysis were 
only done on two machine specifications. 

There are several questions and areas open for further work which remain. An 
important step would be to expand the program to allow for more than two machines. 
Although most protocols can be modelled with two machines, it is a realistic requirement 
to model three or more. The program could be made more interactive with the user, 
allowing the user to change the specification real time when an error occurs. The program 
was developed for use on a workstation, future work could concentrate on PC versions of 
Ada or C/C++. A picture is worth a thousand words; what is done textually can sometimes 
be represented better graphically. A graphical user interface would enhance the users 
ability to specify a protocol and understand the analysis. 

It is important to say that developing this program was FUN. One of the features of 
this automated tool is its understandability. By developing an automated tool it became 
apparent that the user needs to feel comfortable with the language used as well as how a 
specification looks and feels when input for analysis. The results provided by the many runs 
of this program focused attention to where it needed to be- the protocol behavior, not the 
programming language anomalies. 
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APPENDIX A CFSM CODE 



The program listing begins on the following page. 
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input .a 

load_mach ine_array (number : in out natural; 

state : in out natural; 

Next state : in out natural; 
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n NAME_ERROR => 

put_l ine ("That file does not exist. Reenter! 
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Q2 .Store (i) ) then 



Title : stacks 

File : stacks. a 

Author : Matthew J. Rothlisberger, Captain, U. S. Army 
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procedure MakeEmpty(S 
begin 

S . latest :* 0; 
end MakeEmpty; 



S. latest = MAX then 
raise StackFull; 
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Title : IsEqual 

File : reachabi 1 i ty . a 

Author : Matthew J. Rothl isberger. Captain, U. S. Army 

Date : 10 February 1992 

Revised : 
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end IsEqual; 
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end output_Gstate_node; 
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if (Gstatepointer . 1 ink3 .Gl ink /= null) then 
set_col (42) ; 

if (Gstate_pointer . Iink3 .Gt ransition = snd) then 
put ("-"); 
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APPENDIX B SCM CODE 



The program listing begins on the following page. 
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package body queues is 
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end queues; 
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S. latest - MAX then 
raise StackFull; 



S. latest = 0 then 
raise StackEmpty; 
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the queues are empty the main loop will raise the following exception handler 
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APPENDIX C (CFSM) ALTERNATING BIT 



INPUT (FSM) 



start 

machine 1 MACHINE 1 

state 1 
trans -X 2 
state 2 
trans +A 3 
state 3 
trans -Y 4 
state 4 
trans +B 1 

machine 2 MACHINE 2 

state 1 

trans +X 2 

state 2 

trans -A 3 

state 3 

trans + Y 4 

state 4 

trans -B 1 

init ial_state 1 1 

finish 
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OUTPUT 



REACHABILITY ANALYSIS of : output. alt 



Reachability Graph 
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APPENDIX D (CFSM) SLIDING WINDOW 



INPUT(FSM) 



start 
machine 1 
state 1 
trans -X 


2 


state 2 
trans +B 


7 


trans -Y 


3 


state 3 
trans +B 
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trans -Z 
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trans +X 
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trans -B 
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state 7 
trans. +Y 
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trans +Z 
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trans -A 


1 


initial state 1 1 


finish 
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OUTPUT 



REACHABILITY ANALYSIS of : sliding_window 
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APPENDIX E (SCM) GO_BACK_N, W=1 

INPUT (FSM) 



start 
machine 1 
state 0 

trans snd_data 1 
state 1 

trans rcv_ackO 0 
machine 2 
state 0 

trans rcv_data 1 
state 1 

trans snd_ac)c 0 
initial_state 0 0 
finish 
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VARIABLE DEFINITIONS 



package definitions is 

type scm_transit ion_type is (snd_datal, rcv_datal, snd_ackl, 

rcv_ackl, adv_winl, unused) ; 
type buffer_type is (dl,e,al); 
type boolean_type is (t,f); 



type buf fer_array_type is array Cl- - 1 ) of buffer_type; 
type boolean_array_type is array (1..1) of boolean_type; 



type machinel state type is 



record 

state_number 
out_buf fer 
ack_rec 
current 
end record; 



: natural 

: buf fer__array_type 
: boolean__ar ray_type 
: integer range 1..1 



0 ; 

(others=>dl) 
(others*> f ) ; 

l; 



type machine2_state_ 
record 


type 


is 




state_number 


: 


natural 


0; 


in_buf fer 


: 


buf fer_array_type 


: - (others=>e) 


■pkt^rec 


: 


boolean_array_type 


: = (others*>f) 


current 


: 


integer range 1..1 


:= 1; 


end record; 


type global variable 


type is 




record 


DATA 

end record; 


: 


buf fer_type 


: “ e ; 



end definitions; 
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PREDICATE-ACTION 



separate (main) 

function Analyze_Predicates_Machinel (local : machine Instate type; 

GLOBAL: global_var iable_type ) return transition 

stack_package . stack is 
begin 

MakeEmpty (transition_stack) ; 
if (local .out__buffer (1) /* E) then 

Push (transit ion_stack, snd_datal ) ; 
end if; 

if ( (local. ack_rec(l)=f) and GLOBAL . DAT A=*A1 ) then 
Push (transition_stack, rcv_ackl) ; 
end if; 

Push (transition_stack, adv_winl ) ; 
return transit ion_stack; 
end Analyze_Predicates_Machinel ; 

separate (main) 

function Analyze_Predicates_Machine2 ( local : machine2_state type; 

GLOBAL: global_variable_type ) return transition 

stack_package . stack is 
begin 

MakeEmpty (transit ion_stack) ; 

if ( (GLOBAL. DATA = Dl) and ( local .pkt_rec ( 1 ) =f) ) then 
Push (transition_stack, rcv_datal) ; 
end if; 

if ( local .pkt_rec (-1 ) «t ) then 

Push (transition_stack, snd_ackl) ; 
end if; 

return transition_stack; 
end Analyze_Predicates_Machine2; 

separate (main) 

procedure Act ion ( in_system_st ate : in out Gst ate_record_type ; 

in_transit ion : in out scm_transit ion_type ; 
out_system_state : in out Gs tate_record_type ) is 



temp : integer :* 0; 

begin 

case ( in_transition) is 
when (snd_datal) => 

out_system_state . GLOBAL_VARIABLES .DATA :* 

in_system_s tate . mach inel_state . out_buffer (1) ; 
when (rcv_ackl) -> 

out_system_state . mach ine Instate .ack_rec ( 1) := t; 

out_system_state .GLOBAL_VARIABLES . DATA :- e; 
out_system_state .machinel_state .current := 1; 
when (rcv_datal) => 

out_sy sternest ate . machine 2 _st ate . in_buf fer (1) :* 

in_system_st ate .GLOBAL_VARIABLES . DATA; 
out _system_s tate .GLOBAL_VARIABLES . DATA :* e; 
out_system_state.machine2_state .pkt_rec (1) := t; 
when (snd_ackl) => 

out_system_state .GLOBAL_VARIABLES . DATA :* al; 
out_system_state.machine2_state.pkt_rec (1) := f; 

out_system_st ate .machine2_state . in_buf fer ( 1) := e; 

when (adv_winl) => 

out_system_state .ma- 
ch inel_state . ackjrec ( in_system_st ate . mach ine l_s tate .current ) := f ; 

when others => 

put_line ( "There is an error in the Action procedure"); 
end case; 
end Action; 
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OUTPUT FORMAT 



separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin 

put (^ (* & integer' image (tuple .machinel_state . state_number ) ) ; 

put (^ , * & integer' image (tuple .machine2_state . state_number ) ) ; 
putp , '); 

put (tuple .machine Instate . out_buffer ( 1) , width => 1); 
put ( * , "); 

put (tuple .machine Instate .ack_rec ( 1) , width=>2) ; 
put (* , *) ; 

put (tuple .machine2_state . in_buffer (1) , width »> 1); 
put p , *) ; 

put (tuple .machine2_state .pkt_rec (1) , width»>2) ; 
put p , ") ; 

put (tuple. GLOBALJ/ARIABLES. DATA, width »>2) ; 
put P ] *) ; 
end output_Gtuple; 



separate (main) 

procedure output_Gtuple_to_f i le (tuple : in out Gst ate_record_type ; 

counter : in out integer) is 

begin 

put (reach, counter) ; 

put (reach,* P & integer' image (tuple . machinel_state . state_number ) ) ; 
put (reach,* ,* & integer' image (tuple . machine2_state .state_number ) ) ; 
put (reach, * , *) ; 

put (reach, tuple .machinel_state .out_buffer (1) , width => 1); 
put (reach,* , *) / 

put (reach, tuple .machinel_state . ack_rec (1) , width»>2) ; 
put (reach,* , *) ; 

put (reach, tuple .machine2_state . in_buffer ( 1) , width => 1); 
put (reach,* , *) ; 

put (reacts tuple .machine2_st ate .pkt_rec ( 1 ) , width=>2) ; 
put (reach, * , *) ; 

put (reach, tuple .GLOBAL_VARIABLES . DATA, width =>2) ; 
put (reach, * ] *) ; 
new_line (reach) ; 
end output_Gtuple_to_f i le ; 



separate (main) 

procedure output_Gstate_node (Gst a te pointer : in out Glink_type; 

Error_Flag : in out boolean) is 

begin 

output_line_count := output_l ine_count + 1; 
if ( (output_line_count mod 10) = 0) then 
scroll_pause; 
end if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . syst em_state_number , width => 3); 
output_Gtuple (Gstate pointer .Gtuple) ; 

if ( (Gstate_pointer . linkl .Glink = null) and then (Gstate_pointer . Iink2 .Glink = null) 
and then 

(Gstate_pointer . Iink3 .G1 ink = null) and then (Gstate_po inter . 1 ink4 .Gl ink = null)) 

then 

Error_flag := true; 
else 

Error_flag := false; 
end if; ~~ 

end output_Gstate_node; 
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OUTPUT 



REACHABILITY ANALYSIS of : go_back_n_wl 



Global State GRAPH 
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APPENDIX F (SCM) GO BACK N, W=2 

INPUT (FSM) 



start 
machine 1 
state 0 

trans snd_data 1 
state 1 

trans snd_data 2 
trans rcv_ackO 0 
state 2 

trans rcv_ackO 0 
trans rcv_ackl 1 
machine 2 
state 0 

trans rcv_data 1 
state 1 

trans rcv_data 2 
trans snd_ack 0 
state 2 

trans snd_ack 0 
init ial_state 0 0 
finish 
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VARIABLE DEFINITIONS 



package definitions is 



£ype scm_transit ion_ type is (snd_data, rcv_data, 

snd_ack, rcv_ackO, 
rcv_ackl, unused) ; 

type buffer_type is (dO,dl,e,a); 

type buf fer_array_type is array (1.. 2) of buffer_type; 
type seq_array_type is array (1.. 2) of integer range -1..2 

type machinel_state_type is 
record 

state_number : natural :* 0; 

Sdata : buf fer_ ar ray_type (d0,dl); 

seq : integer range 0..2 := 0; 

i : integer range 1..2 1; 

end record; 



type machine2_stste_type is 
record 

state_ number : natural := 0; 

Rdata”* : buffer_type ;= e; 

exp : integer range 0..2 := 0; 

j ; integer range 1..2 := 1; 

end record; 



type global_var iable_type 
record 

DATA : 

SEQ : 

ACK : 

end record; 



is 

buf fer_array_type 
seq_a r r a y_t ype 
integer range -1..2 



(e, e) ; 
(-U-1); 
- 1 ; 



end definitions; 



PREDICATE-ACTION 



separate (main) 

function Analyze_Predicates_Machinel (local : machinel_state type; 

GLOBAL: global_variab.Te_type) return transition_- 

stack_package. stack is 

"tempi : integer := GLOBAL. ACK + 0; 
temp2 : integer (GLOBAL. ACK + l)mod 3; 

begin 

MakeEmpty (transition_stack) ; 

if ( (GLOBAL. DATA (local, i) =■ E) and (GLOBAL. SEQ (local . i) = -1)) then 
Push (transition_stack, snd_data) ; 
end if; 

if ((tempi = local. seq) and (GLOBAL. ACK /= -1)) then 
Push (transition_stack, rcv_ack0) ; 
end if; 

if ( (temp2 * local. seq) and (GLOBAL. ACK /= -1)) then 
Push (transition_stack, rcv_ackl) ; 
end if; 

return transit ion_stack; 
end Analyze_Predicates_Machinel; 



separate (main) 

function Analyze_Predicates_Machine2 ( local : machine2_st ate_type ; 

GLOBAL: global_variable_type) return transition_- 

stack_package . stack is 
begin 

MakeEmpty (transition_stack) ; 

if ( (GLOBAL. DATA(local.j) /*E) and (GLOBAL . SEQ ( loca 1 . j ) = local. exp)) then 
Push (transition_st ack , rcv_data) ; 
end if; 

if (GLOBAL. DATA (local. j)=E) then 
Push (transition_stack, snd_ack) ; 
end if; 

return t ransition_stack; 
end • Analyze_Predicates_Machine2 ; 

separate (main) 

procedure Act ion ( in_system_st ace : in out Gstate_record_type; 

in_t ransit ion : in out scm_transit ion_type; 

out_system_st ate : in out Gstat e_record_t ype) is 



temp : integer := 0; 

begin 



seq) 



exp; 



+ 



case (in_transit ion) is 
when (snd_data) => 

out_system_state .GLOBAL_VARI ABLES . DATA ( in_system_st ate .machinel_st ate . i) : = 
in_system_state .machinel_state .Sdata { in_system_state .machinel_state . i) ; 
out_system_state.GLOBAL_VARIABLES .SEQ ( in_syst em_st at e . machine l_st ate . i) := 
"in_system_state.machinel_state . seq; 
if (in_system_state .machinel_st ate . i = 1) then 
out_system_state . machine Instate . i := 2; 
else 

out_system_st ate . machinel_st ate . i := 1; 



end if; 

out_system_st ate . machine Instate . seq : - 
1 ) mod 3 ) ; 

when (rcv_ackQ) => 

out_system_st ate . GLOB AL_VAR I ABLES . ACK 
when (rcv_ackl) => 

out_syst em_st ate . GLOBAL_VARIABLES .ACK 
when (snd_ack) => 

out_system_state . GLOBAL_VARIABLES . ACK 



( ( ( in_sy sternest at e . machine l_stat e . - 

= - 1 ; 

= - 1 ; 

= in_system_state .machine2_st ate . - 



out_system_st ate .machine2_state .Rdata 
when (rcv_data) => 

out_syst em^state . mach ine2_s t a te . Rdata 
ABLES .DATA ( in_syst em_st at e .machine2_sta te .j); 

out_syst em_st ate .GLOBAL VARIABLES . DATA ( 
E; 



: = e ; 

: = in_system_state.GLOBAL_VARI- 
in_system_st ate .machine2_st ate . j ) : = 



ou t_sy sternest ate .GLOBAL_VAR I ABLES . SEQ ( in_system_st at e . machine2_st a t e . j ) : = 

if { in_system_state . machine2_stat e . j = 1) then 
out_syst em_st ate .machine2_st ate . j 2; 
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else 

out_system_st ate .machine2_state . j :» 1; 
end if; 

out_system_state .machine2_state . exp := 

( ( (in_system_state ,machine2_state .exp) + l)mod 3) 
when others 

put_line ("There is an error in the Action procedure") 
end case; 
end Action; 
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OUTPUT FORMAT 



separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin 

put (" & integer' image (tuple ,machinel_state . state_number) & " , "); 

put (integer' image (tuple .machine2_st ate . state_jnumber) ) ; 
putr , *); 

put (tuple ,machinel__state . seq, width => 1) ; 
put (* , m ) ; 

put (tuple .machinel_state . i, width =*> 1); 
putr , ") ; 

put (tuple .machine2_state .exp, width *> 1); 
put ( m , m ) ; 

put (tuple .machine2_state . j, width =»> 1); 

putr , ") ; 

put (tuple. GLOBAL_VARIABLES.DAT A (1) , width = >3); 
put (tuple .GLOBAL^ VARIABLES . SEQ ( 1) , width=>2) ; 
put ( m , m ) ; 

put (tuple . GLOBAL__VARIABLES . DATA (2 ) , width »>3) ; 
put (tuple . GLOB AL_VAR I ABL.ES . SEQ (2 ) , width=>2) ; 
put (" , ") ; 

put (tuple .GLOB AL_VAR I ABLES . ACK, width *> 3) ; 
put (* ] ") ; 
end output_Gtuple; 



separate (main) 

procedure output_Gtuple_to_f ile (tuple : in out Gst ate_record_type; 

counter : in out integer) is 

begin 

put (reach, counter) ; 

put (reach, " [* & integer' image (tuple .machinel_state . state_number ) & * , ") ; 

put (reach, integer' image (tuple.. machine2_state . state_number) ) ; 
put (reach, " ,*); 

put (reach, tuple .machinel_state . seq, width *> 1); 
put (reach, " , *) ; 

put (reach, tuple .machinel_state . i, width => 1) ; 
put (reach, " , ") ; 

put (reach, tuple. machine2_state .exp, width »> 1); 
put (reach," , *) ; 

put (reach, tuple .machine2_state . j, width => 1); 
put (reach, " , ") ; 

put (reach, tuple . GLOBAL_VARIABLES .DATA (1) , width =>3) ; 
put (reach, tuple . GLOBAL_VARIABLES . SEQ ( 1 ) , width=>2) ; 
put (reach," , *) ; 

put (reach, tuple .GLOBAL_VARIABLES . DATA (2 ) , width =>3) ; 
put (reach, tuple . GLOBAL _VAR I ABLES . SEQ (2) , width=>2) ; 
put (reach, " , ") ; 

put (reach, tuple .GLOBAL_VARIABLES . ACK, width => 3); 
put (reach, " ] ") ; 
new_line (reach) ; 
end output_Gtuple_to_f ile; 

separate (main) 

procedure output_Gstate_node (Gstate_po inter : in out Glink_type; 

Error_flag : in out boolean) is 

begin 

output_line_count := out put_line_count + 1; 
if ( (output_l ine_count mod 10) = 0) then 
scroll_pause; 
end if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system_state_number, width => 3); 
output_Gtuple (Gstate_pointer .Gtuple) ; 

if ( (Gstate_po inter . linkl .Glink = null) and then (Gstate_po inter . link.2 .Glink = null) 
and then 

(Gstate_pointer . link.3 .G1 ink = null) and then (Gstate_po inter . Iink4 .Glink = null)) 

then 

Error_flag := true; 
else 

Error flag := false; 
end if; ” 

end output_Gstate_node; 
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APPENDIX G (SCM) GO BACK N, W=3 
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VARIABLE DEFINITIONS 



package definitions is 

type scm_transit ion_type is (snd_data, rcv_data. 



type buffer_type is (dO, dl, d2, e, a) ; 

type buf fer_array_type is array(1..3) of buffer_type; 

type seq_array_type is array (1.. 3) of integer range -1..3; 

type machinel_state_type is 
record 

state number : natural := 0; 



snd_ack, rcv_ackO, 
rcv_ackl, rcv_ack2, unused) ; 




: buf fer_array_type (d0,dl,d2) 
: integer range 0..3 := 0; 

: integer range 1..3 := 1; 



end record; 



type machine2_state_type is 
record 



state_number 

Rdata 



natural := 0; 
buffer_type : 



exp 

j 



: integer range 0..3 
: integer range 1..3 



= 0 ; 

= 1 ; 



end record 



type global_variable_type is 



record 



DATA 

SEQ 

ACK 



buf fer_array_type := (e,e,e); 
seq_array_type := (-1,-1,-1) 

integer range -1..3 : = -1; 



end record 



end definitions 



/ 
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PREDICATE-ACTION 



separate (main) 

function Analyze_Predicates_Machinel ( local : machinel_state type; 

GLOBAL: global_variabIe_t ype ) return transition_- 

stack_package . stack is 

tempi : integer := GLOBAL. ACK + 0; 
temp2 : integer := (GLOBAL. ACK + l)mod 4; 
temp 3 : integer :=* (GLOBAL. ACK + 2) mod 4; 

begin 

MakeEmpty (transit ion_stack) ; 

if ( (GLOBAL. DATA(local.i) = E) and (GLOBAL . SEQ ( loca 1 . i ) = -1)) then 
Push (transition_stack, snd_data) ; 
end if; 

if ((tempi - local. seq) and (GLOBAL. ACK /=* -1)) then 
Push (transition_stack, rcv_ackQ) ; 
end if; 

if ((temp2 » local. seq) and (GLOBAL. ACK /» -1)) then 
Push (transit ion stack, rev ackl) ; 
end if; 

if ( (temp3 - local. seq) and (GLOBAL. ACK /= -1)) then 
Push (transition._st.ack, rcv_ack2 ) ; 
end if; 

return trans it ion_stack; 
end Analyze_Predicates_Machinel; 



separate (main) 

function Analyze_Predicates_Machine2 ( local : machine2_state type; 

GLOBAL: globa l_vari able_t ype ) return transition_- 

stack_package . stack is 
begin 

MakeEmpty (transit ion_stack) ; 

if ( (GLOBAL. DATA(localo) /*E) and (GLOBAL . SEQ ( local . j ) = local. exp)) then 
Push (transit ion_s tack, rcv_data) ; 
end if; 

if (GLOBAL. DATAUocal. j) =E) then 

Push (transition_stack, snd_ack) ; , 

end if; 

return t ransition_stack; 

end Analyze_Predicates_Machine2 ; — this returned value is then checked against the 
machine arrays 

— to determine if indeed this transition can be 

taken 



separate (main) 

procedure Act ion ( in_system_state : in out Gst at e_record_type ; 

in_transition : in out sem^trans it ion_type; 
out_system_st ate : in out Gstate_record_type ) is 

temp : integer :=* 0; 

begin 

case (in_transit ion) is 
when (snd_data) => 

out_system_state .GLOBAL VARIABLES . DATA ( in_system_st ate . machinel_state . i) :=■ 
in_system_state . macR ine 1_ state . Sdata ( in_syst em_st ate .machine l_st ate . i) ; 
out_sy sternest at e .GLOBAL_VAR I ABLES . SEQ ( in_system_stat e . machine l_s tat e . i ) : = 

in_sy st em_st ate. machine Instate. seq; . * 

begin 

case (in system_state .machinel_st:ate . i) is 
when I => 

out_system_state .machine l_state . i := 2; 
when 2 =*> 

out_system_state . machinel_state . i := 3; 
when 3 => 

out_system_state . machinel_st ate . i := 1; 
when others => 
null; 
end case; 
end; 

out_system_state .machine Instate . seq := ( ( ( in_system_state . machine Instate . - 
seq) + 1) mod 4 ) ; 

when (rcv_ack0) => 

out_system_state . GLOB AL_ VAR TABLES . ACK := -1; 
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when (rcv_ackl) ®> 

out_system_state.GLOBAL_VARIABLES.ACK : = -1; 
when {rcv_ack2) *> 

out system_state.GLOBAL_VARIABLES.ACK :=* -1; 
when (snd_ack) => 

out_system_state . GLOBAL_VAR I ABLES . ACK :» in_system_state . machine2_state 



exp; 

out_system_state .machine2_state .Rdata e; 

when <rcv_data) => 

out system_state .machine2_state .Rdata := in_system_state .GLOBAL VARI- 
ABLES . DATA { in_system_state .machine2_state . j ) ; ~~ 

out_system_state . GLOB AL_VAR I ABLES . DATA ( in system_state .machine2_state . j ) 
E; 

out system state ,GLOBAL_VARI ABLES . SEQ ( in_system_state . machine2 state. j) 

-1; 

begin 

case (in system_state .machine2_state . j ) is 
when X »> 

out_3ystem_state . machine2_state . j 2; 

when 2 => 

out_system_state . machine2_state . j := 3; 
when 3 => 

out_system_state .machine2_state . j :» 1; 
when others => 
null; 
end case; 
end; 

out_system_state .machine2_state . exp := ( ( { in_system_state .machine2_state . 
exp) + 1) mod A ) ; 

when others => 

put_line ( "There is an error in the Action procedure"); 
end case; 
end Action; 
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OUTPUT FORMAT 



separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin 

putt* [* & integer' image (tuple .machinel_state . state_number ) & * , "); 

put (integer' image (tuple .machine2_state . state_number ) ) ; 
put (* , ") ; 

put (tuple .machinel state. seq, width => 1); 
putP , "); 

put (tuple .machinel_state . i, width => 1); 
put(" , "); 

put (tuple. machine2_state .exp, width => 1) ; 
put P , *) ; 

put (tuple .machine2_state . j, width =*> 1); 
put r , *) ; 

put (tuple . GLOBAL_VARIABLES . DATA ( 1 ) , width =*>3) ; 
put (tuple. GLOBAL VARIABLES. SEQ (1) , width=>2) ; 
put p , ') ; 

put (tuple . GLOBAL_VARIABLES .DATA (2) , width =»>3) ; 
put (tuple .GLOB AL_VAR I ABLES . SEQ (2) , width->2) ; 
put ( * , *) ; 

put ( tuple .GLOBAL_VARI ABLE S . DATA (3 ) , width =»>3) ; 
put (tuple . G LOB AL_ VARIABLES . SEQ ( 3 ) , width=>2) ; 
put P , ") ; 

put (tuple. GLOBAL VARIABLES . ACK, width => 3) ; 
put p )”); 
end output_Gtuple; 

separate (main) 

procedure output_Gtuple_to_f ile (tuple : in out Gst ate_record_type; 

counter : in out integer) is 

begin 

put (reach, counter) ; 

put (reach," P & integer' image (tuple . machine Instate . state_number) & * , "); 
put (reach, integer' image (tuple . machine2_state .state^number) ) ; 
put (reach, " , *); 

put (reach, tuple .machinel_state . seq, width = > 1); 
put (reach," , "); 

put (reach, tuple .machinel_state . i, width => 1); 
put (reach," , *) ; 

put (reach, tuple .machine2_state .exp, width => 1) ; 
put (reach, " , *) ; 

put (reach, tuple .machine2_state. j, width => 1); 
put (reach, " , *) ; 

put (reach, tuple .GLOBAL_VARIABLES . DATA ( 1) , width =>3) ; 
put (reach, tuple . GLOBAL_VARIABLES . SEQ ( 1 ) , width = >2) ; 
put (reach, " , *) ; 

put (reach, tuple . GLOBAL_VARI ABLES . DATA(2 ) , width =>3 ) ; 
put (reach, tuple. GLOBAL_VARIABLES. SEQ (2) ,width=>2) ; 
put (reach," ,"); 

put (reach, tuple. GLOBAL_VARI ABLES. DATA (3) , width =>3) ; 
put (reach, tuple .GLOBAL_VARIABLES . SEQ (3) , width=>2) ; . 
put (reach, " ,"); 

put (reach, tuple. GLOBAL_VARIABLES . ACK, width => 3) ; 
put (reach," ]"); 
new_line (reach) ; 
end output_Gtuple_to_f i le; 

separate (main) 

procedure output_Gs t ate_node (Gst ate pointer : in out Glink_type; 

Error_flag : in out boolean) is 

begin 

output_line_count := output_l ine_count + 1; 
if ( (output_l ine_count mod 10) = 0) then 
scroll_pause; 
end if; 

set_col (Gcolumn_set ) ; 

put (Gstate_po inter . system_state_number , width -> 3); 
output_Gtuple (Gstate_pointer .Gtuple) ; 

if ( (Gstate_pointer . linkl .Glink = null) and then (Gstate_pointer . Iink2 .Glink = null) 
and then 

(Gstate_pointer . Iink3 .Glink * null) and then (Gstate_pointer . Iink4 .Glink » null)) 

then 



192 



Error_flag :* true; 
else 

Error flag :* false; 
end if; 

end output_Gstate_node; 
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APPENDIX H (SCM) GO BACK N, W=4 
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VARIABLE DEFINITIONS 



package definitions is 



type scm_transition_type is (snd_data, rcv_data, 

snd_ack, rcv_ackO, 
rcv_ackl, rcv_ack2, 
rcv_ack3, unused); 

type buffer_type is (dO, dl, d2, d3, e, a) ; 

type buf fer_array_type is array(1..4) of buffer_type; 

type seq_array_type is array (1.. 4) of integer range -1..4; 



type machinel_state_type is 
record 

state_number : natural 0; 

Sdata : buf fer_array_type 

seq : integer range 0..4 

i : integer range 1..4 

end record; 



(d0,dl,d2,d3) ; 
0 ; 

1 ; 



type machine2 state type is 



record 

state_number 

Rdata 

exp 

j 

end record; 



: natural := 0; 

: buffer_type := e; 

: integer range 0..4 
: integer range 1..4 



0 ; 

1 ; 



type global_var iable_type is 
record 

DATA : buf fer_array_type 

SEQ : seq_array_type 

ACK : integer range -1..4 

end record; 



(e, e, e, e) ; 
(- 1 ,- 1 , - 1 ,- 1 ) 
- 1 ; 



end definitions; 
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PREDICATE-ACTION 



separate (main) 

function Analyze_Predicates_Machinel ( local : machinel_stat e type; 

GLOBAL: global_variabX~e_type ) return transit ion_- 

stack_package . stack is 

tempi : integer := GLOBAL. ACK + 0; 

temp2 : integer := (GLOBAL. ACK + l)mod 5; 

temp3 : integer := (GLOBAL. ACK + 2) mod 5; 

temp4 : integer := (GLOBAL. ACK + 3) mod 5; 

begin 

MakeEmpty (transit ion_stack) ; 

if ( (GLOBAL. DATA (local. i) * E) and (GLOBAL . SEQ ( loca 1 . i ) = -1)) then 
Push (transit ion_stack, snd_data) ; 
end if; 



if 


((tempi * local. seq) and (GLOBAL. ACK 
Push (transition stack, rev ackO) ; 


/= -D) 


then 


end 


if; 






if 


( (temp2 = local. seq) and (GLOBAL. ACK 
Push (transition stack, rev ackl) ; 


/= -D) 


then 


end 


•if; 






if 


( (temp3 * local. seq) and (GLOBAL. ACK 
Push (transition stack, rev ack2) ; 


/- -D) 


then 


end 


if; 






if 


( (temp4 = local. seq) and (GLOBAL. ACK 


/= -D) 


then 



Push (transition_stack, rcv_ack3) ; 
end if; 

return transition_stack; 
end Analyze_Predicates_Machinel; 



separate (main) 

function Analyze_Predicates_Mach ine2 ( local : machine2_st ate_type ; 

GLOBAL: global_variable_t ype ) return transition_- 

stack_package. stack is 
begin 

MakeEmpty (transition_stack) ; 

if ( (GLOBAL. DATA (local. j) /=E) and (GLOBAL . SEQ ( loca 1 . j ) = local. exp)) then 
Push (transit ion_s tack, rcv_data) ; 
end if; 

if (GLOBAL. DATA (local. j)=E) then 
Push (transition_stack, snd_ack) ; 
end if; 

return transit ion_stack; 
end Analyze_Predicates_Machine2 ; 

separate (main) 

procedure Act ion ( in_syst em_st ate : in out Gst ate_record_t ype; 

in_transit ion: in out scm_t ransition_type; 
out_system_state : in out Gsta te_record_type) is 

temp : integer := 0; 

begin 

case (in_transit ion) is 
when (snd_data) => 

out_system_st ate*. GLOBAL VARIABLES . DATA ( in system_st ate . machinel_state . i) : = 
in__system_state .macTiinel_state .Sdata (1n_system_state .machinel_state. i) ; 
out_system_state .GLOBAL_VARIABLES . SEQ ( in_system_state .machine Instate . i) :- 
in_syst em^state .mach ine Instate . seq; 
begin 

case (in system_state .mach ine l_state . i) is 
when I => 

out_system_state . mach ine Instate . i := 2; 
when 2 =*> 

out_system_state . mach ine l_stace . i := 3; 
when 3 => 

out_system_st ate . machinel_state . i := 4; 
when 4 -> 

out_system_sta te . mach ine l_sca te . i := 1; 
when others => 
null; 
end case; 
end; 

out_sy sternest ate .mach ine l_st ate . seq := 

( ( (in_system_state .machinel_state . seq) + l)mod 5); 
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when (rcv_ackO) «> 

out_system_state.GLOBAL_VARIABLES.ACK := -1; 
when (rcv_ackl7 *> 

out_system_state.GLOBAL_VARIABLES.ACK :=• -1; 
when (rcv_ack27 => 

out_system_state . GLOBAL_VARIABLES . ACK -1; 
when (rcv_ack3)~-> 

out_system_state.GLOBAL_VARIABLES . ACK :=* -1; 
when (snd_ack) => 

out_system_state . GLOBAL_VARIABLES .ACK :» in_sys tem_state .machine2_state . 

exp; 

out_system_state .machine2_state .Rdata :» e; 
when (rcv_data) -> 

out_system_state .machine2_state .Rdata :» 
in_system_state .GL0BAL_VARIABLES . 

DATA ( in_system_state .machine2_state . j ) ; 
out_system_state . GLOBAL_VARIABLES . DATA ( in_system_state . machine2_state . j) 
E; 



out_system_state . GLOBAL_VARIABLES .SEQ (in_system_state .machine2_state . j) 
“- 1 ; 
begin 

case (in_system_state.machine2_Ltate. j) is 
when 1 ■> 

out_system_state .machine2_state . j := 2 
when 2 =■> 

out_system_state .machine2_state . j := 3 
when 3 => 

out_system_state . machine2_state . j := A 
when A »> 

out_system_state . machine2_state . j :* 1 
when others => 

null; 
end case; 
end; 

out_system_state .machine2_state.exp := ( ( ( in_system_s tate .machine2_state . 
exp) + l)mod 5); * 

when others *> 

put_line ("There is an error in the Action procedure") ; 
end case; ~ 
end Action; 



204 



OUTPUT FORMAT 



separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin » 

put [* & integer' image (tuple .machine l_state . state_number) & n , ") ; 
put ( integer' image (tuple ,machine2_state . state_number) ) ; 
put (* , *); 

put (tuple ,machinel_state . seq, width *> 1); 

put r , *) ; 

put (tuple. machinel_state . i, width => 1); 
put ( m , *) ; 

put (tuple .machine2_state .exp, width => 1); 
put r , *) ; 

put (tuple .machine2_state . j, width => 1); 
putr ,*); 

put (tuple . G LOB AL_ VARIABLES . DATA ( 1 ) , width =>3) ; 
put (tuple . GLOB AL_ VARIABLES . SEQ ( 1 ) , width=*>2) ; 
put (" , ") ; 

put (tuple. GLOBAL_VARIABLES. DATA (2) , width =>3) ; 
put (tuple .GLOB AL_VAR I ABLES . SEQ (2 ) , width->2) ; 
put (* , "); 

put (tup le. GLOBAL J/ARI ABLES. DATA (3) , width »>3) ; 
put ( tuple. GLOBAL J/ARIABLES. SEQ (3) ,width=>2) ; 
putr ,*) ; 

put (tuple. GLOBAL_VARIABLES. DATA (4) , width =>3) ; 
put (tuple .GLOBAL_VARIABLES . SEQ ( 4 ) , width=>2) ; 
put (* , ") ; 

put (tuple. GLOBALJ/ARIABLES.ACK, width => 3); 
put r )") ; 
end output_Gtuple; 

separate (main) 

procedure output_Gtuple_to_file (tuple : in out Gstate_record_type ; 

counter : in out integer) is 

begin 

put (reach, counter) ; 

put (reach," [* & integer' image ( tuple . machinel_state . state_number) & w , ") ; 
put (reach, integer' image (tuple. mach ine2_state . state_number ) ) ; 
put (reach," , *) ; 

put (reach, tuple . machinel_state . seq, width => 1); 
put (reach," , *) ; 

put (reach, tuple .machinel_state . i, width => 1); 
put (reach," , *) ; 

put (reach, tuple .machine2_state .exp, width => 1) ; 
put (reach, ", n ) ; 

put (reach, tuple .machine2_state . j, width *> 1); 
put (reach," , w ) ; 

put (reach, tuple. GLOBAL_V AR I ABLES .DATA (1) , width =>3) ; 
put (reach, tuple .GLOBAL_VAR I ABLES . SEQ (1) ,width=>2) ; 
put (reach, " , *) ; 

put (reach, tuple .GLOBAL_VARIABLES . DATA (2 ) , width =>3) ; 
put (reach, tuple .GL0BAL_VARIABLES .SEQ (2) , width=>2) ; 
put (reach, " , ") ; 

put (reach, tuple. GLOBAL_VARIABLES .DATA (3) , width =>3); 
put (reach, tuple .GLOBAL_VARIABLES .SEQ ( 3 ) , width=>2) ; 
put (reach, " , ") ; 

put (reach, tuple .GLOBAL_VARIABLES .ACK, width => 3); 
put (reach, " ] ") ; 
new_line (reach) ; 
end output_Gtuple_to_f ile; 

separate (main) 

procedure output_Gstate_node (Gstate pointer : in out Glink_type; 

Error_rlag : in out boolean) is 

begin 

output_line_count := output_l ine_count ♦ 1; 
if ( (output_line_count mod 10) = 0) then 
scroll_pause; 
end if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system_state_number, width »> 3); 
output_Gtuple (Gstate po inter . Gtup le ) ; 

if ( (Gstate_pointer . Tinkl .Glink = null) and then (Gstate_po inter . Iink2 .Glink = null) 
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and then 

(Gstate_pointer . Iink3 .Glink. = null) and then (Gstate_pointer . Iink4 .Glink - null)) 

then 

Error_flag :» true; 
else 

Error_flag false; 

♦end if; 

end output_Gstate_node; 
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4 98 [2, 0, 1,1, 1,1, E -1 

515 [3, 0,2, 2, 1,1, DO 1 

532 [4, 0,3, 3, 1,1, DO 1 

552 [4, 1,3, 3, 2, 2, E -1 

568 [ 4 , 2 , 3 , 3 , 3 , 3 , E -1 

533 [ 3 , 1 , 2 , 2 , 2 , 2 , E -1 

460 [ 1 , 1 , 0 , 4 , 0 , 4 , E -1 

472 [ 1 , 0 , 0 , 4 , 0 , 4 , E -1 

486 [ 2 , 0 , 1 , 1 , 0 , 4 , E -1 

499 [ 3 , 0 , 2 , 2 , 0 , 4 , DO 1 

516 [ 4 , 0 , 3 , 3 , 0 , 4 , DO 1 

534 [ 4 , 1 , 3 , 3 , 1 , 1 , DO 1 

553 [ 4 , 2 , 3 , 3 , 2 , 2 , E -1 

569 [ 4 , 3 , 3 , 3 , 3 , 3 , E -1 

517 [ 3 , 1 , 2 , 2 , 1 , 1 , DO 1 

535 [ 3 , 2 , 2 , 2 , 2 , 2 , E -1 

500 [ 2 , 1 , 1 , 1 , 1 , 1 , E -1 

433 [ 3 , 0 , 0 , 4 , 4 , 3 , E -1 

445 [4,0, 1,1, 4, 3, E -1 

461 [ 4 , 1 , 1 , 1 , 0 , 4 , E -1 

473 ( 4 , 2 , 1 , 1 , 1 , 1 , E -1 

446 [ 3 , 1 , 0 , 4 , 0 , 4 , E -1 

368 { 1 , 1 , 3 , 2 , 3 , 2 , E -1 

384 [ 1 , 0 , 3 , 2 , 3 , 2 , E -1 

403 [0, 0,3, 2, 3, 2, E -1 

417 [ 1 , 0 , 4 , 3 , 3 , 2 , E -1 

434 [2, 0,0, 4, 3, 2, E -1 

447 [3, 0, 1,1, 3, 2, E -1 

462 ( 4 , 0 , 2 , 2 , 3 , 2 , DO 1 

474 [4, 1,2, 2, 4, 3, DO 1 

487 [4, 2, 2, 2, 0,4, DO 1 

501 [ 4 , 3 , 2 , 2 , 1 , 1 , DO 1 

518 [ 4 , 4 , 2 , 2 , 2 , 2 , E -1 

536 [ 4 , 0 , 2 , 2 , 2 , 2 , E -1 

46? [3, 1, 1,1, 4, 3, E -1 

475 [ 3 , 2 , 1 , 1 , 0 , 4 , E -1 

488 [ 3 , 3 , 1 , 1 , 1 , 1 , E -1 
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APPENDIX I (SCM) SELECTIVE REPEAT, W=1 



INPUT 



start 
machine 1 
state 0 

trans snd_datal 1 
state 1 

trans rcv_ackl 2 
state 2 

trans adv_winl 0 
machine 2 
state 0 

trans rcv_datal 1 
state 1 

trans snd_aclcl 0 
init ial_state 0 0 
finish 
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VARIABLE DEFINITIONS 



package definitions is 



type scm_transit ion_type is (snd_datal, rcv_datal, snd_ackl, 
• rcv_ackl, adv_winl, unused); 

type buf/er_type is (dl,e,al); 
type boolean_type is (t, f) ; 



type buf fer_array_type is array {1..1) of buffer_type; 
type boolean_array_type is array(l..l) of boolean_type; 



type machinel state type is 



record 

state_number 
out_ buf fer 
ack_rec 
current 
end record; 



: natural 

: buf fer_array_type 
: boolean_array_type 
: integer range 1..1 



0 ; 

(others=*>dl) 
(others=>f) ; 
l; 



type machine2_state_type is 
record 

state number : natural 

in_bu"£fer : buf fer_array_type 

pkt_rec : boolean_array_type 

current : integer range 1..1 

end record; 

type global_variable_type is 
record 

DATA : buffer_type 

end record; 



- 0 ; 

= (others=>e) ; 
= (others->f) ; 
= 1 ; 



:= e; 



end definitions; 
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PREDICATE-ACTION 



separate (main) 

function Analyze_Predicates_Machinel ( local : machinel_state type; 

GLOBAL: global_variab!e_type ) return transition_- 

stack_package . stack is 
* begin 

MakeEmpty ( transit ion_stack) ; 
if (local . out_buf fer (1) /- E) then 
Push (transition_stack, snd_datal) ; 
end if; 

if ( (local. ack_rec(l)=f) and GLOBAL. DATA=Al) then 
Push (transit ion_stack, rcv_ackl) ; 
end if; 

Push (transit ion_stack, adv_winl) ; 
return transition_stack; 
end Analyze_Predicates_Machinel ; 



separate (main) 

function Analyze_Predicates_Machine2 ( local : machine2_st ate_type ; 

GLOBAL: global_variable_type) return transition_- 

stack_package . stack is 
begin 

MakeEmpty ( transit ion_stack) ; 

if ( (GLOBAL. DATA = Dl) and (local ,pkt_rec (1) =f) ) then 
Push (transition_stack, rcv_datal) ; 
end if; 

if (local .pkt_rec ( 1) =t ) then 

Push (t ransit ion_stack, snd_ackl) ; 
end if; 

return t ransit ion_stack; 

end Analyze_Predicates_Machine2; — this returned value is then checked against the 
machine arrays 

— to determine if indeed this transition can be 

taken 



separate (main) 

procedure Act ion ( in_system_st ate : in 

in_transit ion : 
out_system_state : 



out Gstate_record_type; 
in out scm_transit ion_type; 
in out Gst ate_record_t ype ) is 



temp : integer 0; 

begin 

case (in_transit ion) is 
when (snd_datal) => 

out_syst em_st ate . GLOBAL_VAR IABLES . DATA : = 

in_system_state .machine Instate . out_buf fer ( 1) ; 
when (rcv_ackl) => 

out_system_state . machine l_state . ack_rec ( 1 ) := t; 

out_system_state .GL0BAL_VARIABLES . DATA := e; 
out_system_state .macninel_state . current := 1; 
when (rcv_datal) => 

out_system_state . machine2_state.in_0uffer(l) := 
in_system_state . GLOB AL_ VAR IABLES"! DATA; 
out_syst em_st ate. GLOBAL_VARIABLES. DATA : = e; 
out_system_state .machine2_state . pkt_rec ( 1) := t; 
when (snd_ackl) => 

out_system_ state . G LOB AL_VAR IABLES .DATA := al; 
out _system_state . machine2_state . pkt_rec ( 1) := f; 

. out__system_st ate . machine2_st a te . in_bu f fer ( 1 ) := e; 

when (adv_winl) => 

out_syst em_st ate . ma- 
chine l_s tat e . ack_rec ( in_sys tem_st ate . machinel_state . cur rent ) : = f ; 

when others »> 

put_l ine ( "There is an error in the Action procedure"); 
end case; 
end Action; 
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OUTPUT FORMAT 



separate (main) 

procedure output_Gtuple ( tuple : in out Gstate_record_type) is 
begin 

put(* (" & integer' image (tuple .machinel_state . state_number ) ) ; 
put(* , " & integer' image (tuple . machine2_state . state^number) ) ; 
put (* , m ) ; 

put (tuple. machinel_state .out_buffer (1) , width =*> 1); 
put (* , *) ; 

put (tuple .machinel_state . ack_rec (1) , width=>2) ; 
put (* , m ) ; 

put (tuple. machine2_state . in_buffer(l) , width «> 1); 

put r , m ) ; 

put (tuple .machine2_st ate .pkt_rec ( 1) , width=>2) ; 

putr , *>; 

put (tuple. GLOBAL VARIABLES. DATA, width =*>2) ; 
put ( m ]") ; 
end output_Gtuple; 

separate (main) 

procedure output_Gtuple_to_f ile (tuple : in out Gstate_record_type ; 

counter : in out integer) is 

begin 

put (reach, counter) ; 

put (reach," [* & integer' image (tuple .machinel_state . state_number) ) ; 
put (reach," ," & integer' image ( tuple . machine2_state . state_number) ) ; 
put (reach, ", *) ; 

put (reach, tuple. ma‘chinel_state .out_buffer (1) , width => 1); 
put (reach," , *) ; 

put (reach, tuple .machinel_state .ack_rec (1) , width=>2) ; 
put ( reach, ", *) ; 

put (reach, tuple. machine2_state . in_buf fer (1) , width -> 1); 
put (reach," , *) ; 

put (reach, tuple .machine2_state .pkt_rec (1) , width=>2) ; 
put (reach," , *) ; 

put (reach, tuple. GLOBAL_VARIABLES. DATA, width =>2) ; 
put (reach," ]"); 
new_line (reach) ; 
end output_Gtuple_to_f i le; 

separate (main) 

procedure output_Gstate_node (Gstate pointer : in out Glink_type; 

Error_rIag : in out boolean) is 

begin 

output_line_count := output_l ine_count .+ 1; 
if ( (output_line_count mod 10) = 0) then 
scroll_pause; 
end if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system__state_number, width => 3); 
output_Gtuple (Gstate pointer .Gtuple) ; 

if ( (Gstate_pointer. linkl .Glink » null) and then (Gstate_po inter . Iink2 .Glink = null) 
and then 

(Gstate_pointer . Iink3 .Glink = null) and then (Gstate_pointer . 1 ink4 .Glink = null)) 

then 

Error_flag := true; 
else 

Error_flag := false; 
end if; 

end output_Gstate_node; 
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OUTPUT 



REACHABILITY ANALYSIS of : sel_rep_wl 
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APPENDIX J (SCM) SELECTIVE REPEAT, W=2 



INPUT (FSM) 

start 
machine 1 
state 0 

trans snd_datal 1 
state 1 

trans rcv_ackl 2 
state 2 

trans adv_winl 0 
machine 2 
state 0 

trans rcv_datal 1 
state 1 

trans snd_ackl 0 
initial_state 0 0 
finish 
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VARIABLE DEFINITIONS 



package definitions is 



type scm_transit ion_type is (snd_data, rcv_data, 

snd_ack, rcv_ack, 
adv_winl, unused); 

type buffer_type is (dl, d2 , e r al, a2 ) ; 
type boolean_type is (t,f); 

subtype ack_buf fer_type is buffer_type range e..a2; 
subtype datajouf fer_type is buffer_type range dl..e; 

type ack_array_type is array(1..2) of ack_buf fer_type; 
type data_array_type is array(1..2) of data_buf fer_type; 

type boolean_array_type is array (1.. 2) of boolean_type; 



type machinel state type is 



record 

state_number 
out_buf fer 
ack_rec 
current 
hold 

end record; 



: natural 
: data_array_type 
: boolean_array_type 
: integer range~1..2 
: boolean_type 



= 0 ; 

= (dl, d2 ) ; 

= (others=>f) 



■ 1 ; 
= f; 



type machine2_state_type is 
record 

state number : natural 

in_buTfer : data_array_type 

pkt rec : boolean_array__type 

end record; 



:* 0 ; 

:= (others*>e) 
(others=>f) 



type global_variable_type is 
record 

DATA : data_array_t ype := (others=>e) ; 

CONTROL : ack_array_t ype := (others=>e) ; 

end record; 

end definitions; 
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PREDICATE- ACTION 



separate (main) 

function Analyze_Predicates_Machinel { local : mach inel_state type; 

GLOBAL: global_variabFe_type) return transition^- 

stack_package . stack is 
begin 

MakeEmpty (trans it ion_stack) ; 

if <( (local .hold * f) and (local .outjbuffer (1) /= E) and (GLOBAL . DATA { 1 ) =E) ) or 

((local. hold =* f) and (local .out_buf fer (2) /- E) and (GLOBAL . DATA (2) =E) ) ) then 
Push (transit ion_stack, snd_data) ; 
end if; 

if ( ( (local . ack_rec (1) ®f ) and (GLOBAL .CONTROL (1) = Al) ) or 

( (local . ack_rec (2) -f ) and (GLOBAL .CONTROL (2 ) = A2 ) ) ) then 
Push (transit ion_stack, rcv_ack) ; 
end if; 

Push (transit ion_stack, adv_w ini ) ; 
return transit ion_stack; 
end Analyze_Predicates_Machinel; 

separate (main) 

function Analyze_Predicates_Machine2 (local : mach ine2_state type; 

GLOBAL: global_variable_type) return transition^- 

stack_package . stack is 
begin 

MakeEmpty (trans it ion_stack) ; 

if (( (GLOBAL. DATA (1) = Dl) and (GLOBAL. DATA (2) = E) and { local .pkt_rec ( 1) =f) ) or 

( (GLOBAL. DATA (1) =*E) and (GLOBAL. DATA (2 ) =*D2) and ( local .pkt_rec (2) =f ) ) or 

( (GLOBAL. DATA (1) = Dl) and (GLOBAL . DATA ( 2 ) = D2) and ( local . pkt_rec ( 1 ) =t) and 

( local .pkt_rec (2) =f ) ) or 

( (GLOBAL. DATA (1) = Dl) and (GLOBAL . DATA ( 2 ) = D2) and ( local .pkt_rec ( 1 ) =f) and 

(local .pkt_rec (2) =f ) ) ) then 
Push (trans it ion_stack, rcv_data) ; 
end if; 

if (( (GLOBAL. CONTROL (1) =E) and ( local .pkt_rec ( 1) «t) ) or 

( (GLOBAL. CONTROL (2) =E) and ( local . pkt_rec (2 ) »t ) ) ) then 
Push ( t ransition_stack, snd_ack) ; 
end if; 

return transit ion_stack; 

end Analyze_Predicates_Machine2; — this returned value is then checked against the 
machine arrays 

— to determine if indeed this transition can be 

taken 

separate (main) 

procedure Act ion ( in_sys tem_state : in out Gstate_record_type ; 

in_transition : in out scm_transit ion_type; 
out_system_state : in out Gstate_record_type) is 

temp : integer := 0; 

begin 

case (in_transition) is 
when (snd_data) => 

out_system_st ate . GLOBAL_VARI ABLES . - 
DATA <in_system_s t ate .mach ine Instate . current ) : = 

in_sy sternest ate .mach inel_state . out_- 
buf fer (in_system_state .machine l_st ate .current ) ; 

out_system_state . mach inel_state . cur rent :« in_system_state . machine l_state . - 

current; 

begin 

case ( in_system_st ate . mach ine 1 state . current ) is 
when 1 => 

out_system_st ate .machine l_state . cur rent := 2; 
when 2 => 

— out_sy stem_state .machinel_state . cur rent := 1; 
out_system_state . machinel_state . hold := t; 
when others => 

put_line ( "error in the action procedure"); 
end case; 
end; 

when (rcv_ack) => 

if <in_system_state . GLOBAL_VARIABLES .CONTROL (1) =A1) then 
out_system_state.machinel_state.ack_rec (1) := t; 

out^system_state . GLOB AL_VAR I ABLES . CONTROL ( 1 ) := e; 

out_system_state .machinel_state . current := 1; 
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else 

if (in_system_state .GLOBAL_VARIABLES .CONTROL ( 2 ) =A2 ) Chen 
out_system_state.machinel_state.ack_rec (2) := t; 

out_system_state.GLOBAL_VARIABLES. CONTROL (2) :=e; 

out_system_state .machine Instate .current := 2; 
end ifT 
end if; 

when (rcv_data) *> 

if { in_system_state . GLOBAL_VARIABLES .DATA ( 1) = Dl) then 
out_system_state .machine2_state . in_buffer (1) := 

in_system_state .GLOBAL_VARIABLES . DATA ( 1 ) ; 
out_system_state ,GLOBAL_VARIABLES .DATA (1) e; 
out_system_state .machine2_state .pkt_rec ( 1) := t; 
else 

if <in_system_state. GLOBAL VARIABLES . DATA (2) =» D2) then 
out system state .machine2_state . in_buf fer (2) := 

in“systenTstate .GLOBALJ/ARIABLES .DATA (2) ; 
out_system_state . GLOBAL_VARIABLES .DATA (2) e; 
out_system_state .mach ine2_state . pkt_rec (2) t; 
end if; 
end if; 

when \snd_ack) => 

if <in_system_state.machine2_state .pkt_rec \1) *t ) then 

out_system_state.GLOBAL_VARIABLES. CONTROL (1) :=* al; 

out_system_state . machine2_state .pkt_rec ( 1) := f; 

out_system_state .machine2_state . in_buf fer ( 1) := e; 

else 

if ( in_sys tem_state .mach ine2_state .pkt_rec (2) =t ) then 

out_system_state .GLOBAL_VARIABLES .CONTROL (2) :=• a2; 

out_system_state . machine2_state . pkt^rec (2) := f; 

out~system~state .machine2~state . in_Suf fer (2) := e; 

end if; 

end if; 

when (adv_vinl) => 

if ( ( in_sy stem_state . machine l_state . ack_rec ( 1 ) =t ) and 
( in~sy sternest ate . machine l_state . ack~rec (2) =f) and 
(in_system_state.machinel_state.hol3 * t) and 
( in_system_state . mach ine l_state .current = 1) and 
( in_system_state .GL0BAL_VARIABLES . DATA ( 1) * E) and 
( in_sy stem_sta te . GLOBAL_ VARIABLES . DATA (2) = D2)) then 
out_system_st ate. mach inel_st ate. ack_rec (1) : = £; 

out_system_state . machine l_st ate .ack_rec (2) : = £ ; 

out_sy stem_state .machine l_st ate .hol3 :*f ; 
out_system_state .mach ine Instate .cur rent : =2 ; 
out_system_st ate . GLOBAL_VARIABLES . DATA ( 1 ) := Dl; 

ou t_system_state . GLCBAL_VARIABLES . DATA (2) := E; 

elsif 

( ( in_sy st em_st ate . machine l_state .ack_rec (1) =t) and 
( in_system_state .mach ine l_st ate .ack_rec (2) »f ) and 
( in_system~state . machinel_state .hold = t) and 
( in_system_st ate . machine l_st ate . current * 1) and 
( in_system_state . mach ine2_state . in_buf fer (1) = £) and 
( in_system_state . machine2_state . in_bu £ fer (2) = D2) and 
( in_system_st ate . mach ine2_state . pkt_rec ( 1) = £) and 

( in_system_state . mach ine2_state . pkt_rec (2 ) = t) ) then 
out_system_state .machinel_state .ack_rec (1) :=£; 

out_sy stem_st a te . machine l_st ate . ack_rec (2) :=£; 

out_system_state . machine l_state . ho Id : = £; 
ou t_sy stem_s t ate . mach ine l_st ate . cur rent : =2; 
out_system_state . machine2_st ate . in_bu£ fer ( 1) Dl; 
out_system_state .machine2_state. in_buf fer (2) := E; 

out_system_state . machine2_st ate . pkt_rec ( 1) : = t; 

out_system_state . machine2_st ate . pkt_rec (2) := £; 

elsif 

( ( in_sy stem_st ate .mach ine l_st ate .ack_rec ( 1) =t) and 
( in_system_state .machinel_state.ack_rec (2) =f) and 
( in_system_state .machinel_state .ho Id = t) and 
( in_system_st ate .mach ine l_st ate .current = 1) and 
( in_system_st ate . GLOBAL_ VARIABLES . CONTROL ( 1 ) => E) and 
( in_system_state.GLOBAL_VAR!ABLES .CONTROL (2) = A2) ) then 
ou t_system_st ate . machine l_st ate .ack_rec (1) *: = f ; 
out_system_st ate .mach ine l_st ate .ack_rec (2) : = f ; 

out_system_st ate .machine Instate .hold : = £; 
out _system_st a te . machine l_st ate .current :=2; 
ou t_system_sta te .GLOBAL_ VAR TABLES .CONTROL ( 1 ) : = Al; 
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out_system_st ate. GLOBAL_VARIABLES . CONTROL (2) := E; 

else 



if ( ( in_system_state . machine Instate .ack_rec (1) =t ) and 
(in_system_state.GL0BAL_VARIABLES.DATA(2) /-E) ) then 
out_system_state .machine Instate . hold := t; 

elsif ( (in_system_state .machinel_state .ack_rec (1) = t) and 
(in_system_state.machinel_state .ack_rec (2) =f ) and 
{ in_system_state . GLOBAL_VARIABLES . DATA (2 ) =E) ) then 
out_system_state .machinel_state . ack_rec { 1 ) := f 

elsif ( ( in_system_state . machinel_state .ack_rec {1) =f ) and 
(in_system_state .machinel_state .ack_rec (2) =t) and 
( in_system_state . machinel_state .hold = t)) then 
out_system_state.machinel_state.ack rec(2) f 
out_system_state.machinel_state.hol3 f; 

else 

if ( (in_system_state.machinel_state.ack_rec (1) =*t) and 
( in_sys tem_st ate .machine l_st ate .ack_rec (2) =t) and 
( in_system_state . GLOBAL_VARIABLES . DATA ( 1 ) =E) and 
(in_system_state .GLOBAL VARIABLES . DATA (2) =E) ) then 
out_system_state . macKinel_state .hold :« f; 
out_system_state. machine l_state . ack_rec (1) := f; 

out_system_state.machinel_state.ack_rec (2) :* f; 

end if; 
end if; 

out system_state . machinel_state . current := 1; 
en3* if; 

when others *> 

put_line ("There is an error in the Action procedure"); 
end case; "" 
end Action; 
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OUTPUT FORMAT 



separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_ type) is 
begin 

put(* (* & integer' image (tuple .machinel_state . state_number ) ) ; 
put (* , " & integer' image (tuple .machine2_state . state_number) ) ; 
put (*,*); 

put (tuple .machinel_state . out_buffer ( 1) , width => 2); 
put (*,"); 

put (tuple .machinel_state . out_buf fer (2) , width => 2); 
put (*, ") ; 

put (tuple . machine Instate .aclt^rec ( 1) , width=>l) ; 
put <*,") ; 

put (tuple . machine Instate .ack^rec ( 2 ) # width=> 1 ) ; 
put (*,"); 

put (tuple .machine Instate .hold, width=>l) ; 
put {*, ") ; 

put (tuple .machine2_ state . in_buf fer ( 1) , width => 2); 
put ( * , " ) ; 

put (tuple .machine2_state . in_buf fer (2) , width =*> 2); 
put (*, ") ; 

put (tuple .machine2_st ate . pkt_rec ( 1) , width*>l ) ; 
put (*,"); 

put (tuple .machine2_state .pkt_rec (2) , width=>l) ; 
put (*,") ; 

put (tuple. GL0BAL_VARIABLES. DATA(l) , width = >2) ; 
put r *) ; 

put (tuple .GLOBAL_VARIABLES . DATA ( 2) , width =>2) ; 
put (*,"); 

put (tuple. GLOBAL VARIABLES .CONTROL (1) , width =>2) ; 
put {*,"); 

put (tuple. GLOBAL VARIABLES. CONTROL (2) , width =>2) ; 
put <*,"); 

put (tuple .mach inel_st at e . current , width=>l) ; 
putt* ]*) 7 
end output_Gtuple; 

separate (main) 

procedure output_Gtuple_to_f ile (tuple : in out Gstate_record_type; 

counter : in out integer) is 

begin 

put (reach, counter) ; 

put (reach," [* & integer' image (tuple . mach inel_st at e . state_number ) ) 
put (reach, " & integer' image (tuple . machine2_state . state_number) ) ; 
put (reach, ", ") ; 

put (reach, tuple. machinel_state. out_buffer (1) , width => 1); 
put (reach, ", ") ; 

put (reach, tuple .machinel_state.out_buffer (2) , width => 1); 
put (reach, ", ") ; 

put (reach, tuple . mach ine l_st ate . ack_rec (1) ,width = >l) ; 
put (reach, ", ") ; 

put (reach, tuple . machine Instate . ack_rec (2) ,width = >l) ; 
put (reach, ", ") ; 

put (reach, tuple . mach ine2_st ate . in_buf fer ( 1) , width => 1); 
put (reach, ", ") ; 

put (reach, tuple .machine2_state . in_buf fer (2) , width -> 1); 
put ( reach, ", ") ; 

put (reach, tuple . mach ine2_state . p*t_rec (1) ,width = >l)’ ; 
put ( reach, ", ") ; 

put (reach, tuple . machine2_st ate . pkt_rec (2) ,width=>l) ; 
put ( reach, ", ") ; 

put ( reach, tuple . GLOBAL_VARIABLES . DATA ( 1 ) , width =>1) ; 
put (reach, " ) ") ; 
new_line (reach) ; 
end output_Gtuple_to_f ile; 

separate (main) 

procedure output_Gst ate_node (Gst ate pointer : in out Glink_type; 

Error_riag : in out boolean) is 

begin 

output_line_count := output line_count 1; 
if ( (output_line_count mod TO) * 0) then 
scro ll_pause; 
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end if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system^state^number, width => 3); 
out put_G tuple <Gstate_po inter .Gtuple) ; 

if ( (Gstate_pointer . linkl .Glink. * null) and then <Gstate_pointer . 1 ink2 . Glink = null) 
and then 

(Gstate_pointer . Iink3 .Glink. * null) and then (Gstate_pointer . Iink4 .Glink. * null)) 

then 

Error_flag true; 

else 

Error_flag false; 

end if; 

end output_Gstate_node; 
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